54-31
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 54 Configuring Network Security with ACLs
Configuring PACLs
To apply IPv4 or MAC ACLs on a Layer 2 interface, perform this task:
To apply IPv6 ACLs on a Layer 2 interface, perform this task:
The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all
TCP traffic and implicitly deny all other IP traffic:
Switch(config)# interface Gi3/1
Switch(config-if)# ip access-list extended simple-ip-acl
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# end
The following example shows how to configure the Extended Named MACL simple-mac-acl to permit
source host 000.000.011 to any destination host:
Switch(config)# interface Gi3/1
Switch(config-if)# mac access-list extended simple-mac-acl
Switch(config-ext-macl)# permit host 000.000.011 any
Switch(config-ext-macl)# end
Using PACL with Access-Group Mode
You can use the access group mode to change the way PACLs interact with other ACLs. For example, if
a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL
P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the
traffic with the Layer 2 interface on VLAN100. In a per-interface method, you can use the access-group
mode command to specify one of the following desired modes:
• prefer port mode—If PACL is configured on a Layer 2 interface, then PACL takes effect and
overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on
the Layer 2 interface, other features applicable to the interface are merged and applied on the
interface. it is the default access group mode.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# interface interface
Enters interface configuration mode.
Step 3
Switch(config-if)# [no] {ip | mac}
access-group {name | number} {in | out}
Applies numbered or named ACL to the Layer 2 interface.
The no form deletes the IP or MAC ACL from the Layer 2
interface.
Step 4
Switch(config)# show running-config
Displays the access list configuration.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# interface interface
Enters interface configuration mode.
Step 3
Switch(config-if)# [no] ipv6 traffic-filter
name {in | out}
Applied the specified IPv6 ACL to the Layer 2 interface. The
no form deletes the IPv6 ACL from the Layer 2 interface.
Step 4
Switch(config)# show running-config
Displays the access list configuration.
To Next Page
Loading...
Need help?
General
