Cisco Cisco 1700 2600 3600 3700 Series VPN Module White Paper

Page 55 of 55

In a Cisco Virtual Switching System environment, VACLs do not change significantly, because they can be applied

across VLANs that are local to a particular virtual switch as well as across the entire Cisco Virtual Switching

System. Global TCAM show commands have also been extended to account for the switch keyword.

Port-Based ACLs

PACLs refers to those ACLs that are applied directly to a physical port that is also configured as a Layer 2

switchport. Note that when an IP address is applied to such an interface, the ACL becomes a RACL. PACLs are

directional by nature, and only ingress PACLs are supported.

For software releases prior to 12.2(33)SXI4 there are some changes made to the way PACLs are applied in a

Cisco Virtual Switching System environment. They relate to the current software restriction that does not allow the

system to consecutively address more than 2000 ports from a Layer 2 ACL indexing perspective. This limitation

implies that PACLs cannot be applied to physical orphan ports - ports that exist on a single chassis only. You can

apply PACLs only on Layer 2 Cisco EtherChannel links or multichassis Cisco EtherChannel links. This behavior is

evidenced by the CLI not being available on physical Layer 2 interfaces:

vss(config)#int gig 1/5/2

vss(config-if)#switchport

vss(config-if)#ip ?

Interface IP configuration subcommands:

admission Apply Network Admission Control

arp Configure ARP features

auth-proxy Apply authentication proxy

<…snip…>

vss(config)#int port-channel 102

vss(config-if)#switchport

vss(config-if)#ip ?

Interface IP configuration subcommands:

access-group Specify access control for packets

admission Apply Network Admission Control

arp Configure ARP features

auth-proxy Apply authenticaton proxy

<…snip…>

PACLs on physical Layer 2 interfaces are supported in VSS beginning in the 12.2(33)SXI4 software.

Printed in USA

C11-429338-04 12/12