Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
11121314151617181920
12
OL-11615-01
Port ACL (PACL)
Port ACLs (PACLs) are IP based and MAC based access control lists applied to Layer 2 physical ports
on a switch. PACLs are available on Catalyst 6500 Series switches running Catalyst OS and Catalyst
4500 Series switches running Cisco IOS.
Note PACLs are available only on Supervisor Engine 720 with PFC3A/PFC3B/PFC3BXL and Supervisor
Engine 32 with PFC3B. Only input PACLs are supported on Catalyst 6500 Series switches equipped with
those supervisor engines.
With PACLs, IP traffic is filtered with either IP standard or extended ACLs, while non-IP traffic is
controlled with MAC based ACLs. Standard IP ACLs filter IP traffic solely based on source addresses.
Extended IP ACLs filter traffic by source and destination addresses, and optionally by protocol type.
MAC based ACLs filter non-IP traffic based on source and destination MAC addresses, and optionally
by protocol type.
By configuring an IP-based ACL and a MAC-based ACL on the same physical port, it is possible to filter
IP and non-IP traffic simultaneously on a Layer 2 physical port. However, only one IP ACL and one
MAC ACL can be applied on a physical port at the same time. If a new IP ACL or MAC ACL is applied
to a port that has already been configured with an IP ACL or MAC ACL, the new ACL will replace the
previously configured one.
Figure 2 shows the logical relationships between ACL types.
Figure 2 Logical Relationships Between ACL Types
PACLs can be used in conjunction with VACLs and router ACLs. There are three modes of operation that
define the way PACLs interact with other ACLs, and which can be configured on a per-port basis:
Prefer Port/Port-based mode—If a PACL is configured on a Layer 2 port the PACL takes effect and
overrides other ACLs (Router ACL and VACL). If no PACL feature is configured on the Layer 2
port, other ACLs applicable to the interface are merged and applied on the interface. This is the
default mode on Catalyst 4500 Series switches.
Prefer VLAN/VLAN-based mode—VLAN-based ACLs (Router ACL and VACL) take effect on the
port and override the PACL. The PACL only takes effect if no VLAN-based ACLs are applied to the
Layer 2 interface. This is the default mode on Catalyst 6500 Series switches.
Merge—With this mode, the ingress PACL, VACL, and Cisco IOS ACL are merged together
following the logical serial model shown in
Figure 2.
Note Supervisor Engines III and Supervisor Engine IV running on a Catalyst 4500 Series switch support both
input and output PACLs on an interface.
The relationship between PACLs, Router ACLs and VACLs depends on the configuration of the PACL mode
as summarized in
Table 1.
190959
PACL Ingress VACL Ingress IOS ACL
Layer-3 Only
Egress IOS ACL Egress VACL