Cisco 4500M Software Manual page 510

Chapter 35 Configuring Network Security with ACLs
Using PACL with VLAN Maps and Router ACLs
If the interface access group mode is prefer port, then only the input PACL is applied on the ingress
traffic from Host A. If the mode is prefer vlan, then only the VACL is applied to the ingress traffic from
Host A. If the mode is merge, the input PACL is first applied to the ingress traffic from Host A, and the
VACL is applied on the traffic.
Scenario 3: Host A is connected to an interface in VLAN 10, which has a VACL and an SVI configured.
The SVI has an input Router ACL configured and the interface has an input PACL configured, as shown
in Figure 35-9:
Figure 35-9 Scenario 3: VACL and Input Router ACL
Catalyst 4500 series switch
Input Output
Input VLAN 10 router router VLAN 20
PACL map ACL ACL map
Frame
Host A Host B
(VLAN 10) (VLAN 20)
Routing function
VLAN 10 VLAN 20
Packet
If the interface access group mode is prefer port, then only the input PACL is applied on the ingress
traffic from Host A. If the mode is prefer vlan, then the merged results of the VACL and the input Router
ACL are applied to the ingress traffic from Host A. If the mode is merge, the input PACL is first applied
to the ingress traffic from Host A, the VACL is applied on the traffic and finally, and the input Router
ACL is applied to the traffic that needs routing. (that is, the merged results of the input PACL, VACL,
and input Router ACL are applied to the traffic).
Software Configuration Guide—Release 12.2(25)EW
35-28
OL-6696-01