Configuring PACLs
The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all
TCP traffic and implicitly deny all other IP traffic:
Switch(config)# ip access-list extended simple-ip-acl
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# end
The following example shows how to configure the Extended Named MACL simple-mac-acl to permit
source host 000.000.011 to any destination host:
Switch(config)# mac access-list extended simple-mac-acl
Switch(config-ext-macl)# permit host 000.000.011 any
Switch(config-ext-macl)# end
Using PACL with Access-Group Mode
You can use the access group mode to change the way PACLs interact with other ACLs. For example, if
a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL
P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the
traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode
command can be used to specify one of the desired behaviors that are defined below.
The following modes are defined:
•
•
•
Because output PACLs are mutually exclusive with VACL and Router ACLs, the access group mode does
Note
not change the behavior of output traffic filtering.
Configuring Access-group Mode on Layer 2 Interface
To configure an access mode on a Layer 2 interface, perform this task:
Command
Step 1
Switch# configure t
Step 2
Switch(config)# interface
interface
Step 3
Switch(config-if)# [no]
access-group mode
{prefer {port | vlan} | merge}
Step 4
Switch(config)# show
running-config
Software Configuration Guide—Release 12.2(25)EW
35-24
prefer port mode
If PACL is configured on a Layer 2 interface, then PACL takes effect and
—
overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on
the Layer 2 interface, other features applicable to the interface are merged and applied on the
interface. This is the default access group mode.
prefer vlan mode
VLAN-based ACL features take effect on the port provided they have been
—
applied on the port and no PACLs are in effect. If no VLAN-based ACL features are applicable to
the Layer 2 interface, then the PACL feature already on the interface is applied.
merge mode
Merges applicable ACL features before they are programmed into the hardware.
—
Purpose
Enters global configuration mode.
Enters interface config mode.
Applies numbered or named ACL to the Layer 2 interface. The no prefix
deletes the IP or MAC ACL from the Layer 2 interface.
Displays the access list configuration.
Chapter 35
Configuring Network Security with ACLs
OL-6696-01