Cisco Systems WSC4500X16SFP Manual De Usuario
33-24
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 33 Configuring Network Security with ACLs
Configuring PACLs
The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all
TCP traffic and implicitly deny all other IP traffic:
TCP traffic and implicitly deny all other IP traffic:
Switch(config)# ip access-list extended simple-ip-acl
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# end
The following example shows how to configure the Extended Named MACL simple-mac-acl to permit
source host 000.000.011 to any destination host:
source host 000.000.011 to any destination host:
Switch(config)# mac access-list extended simple-mac-acl
Switch(config-ext-macl)# permit host 000.000.011 any
Switch(config-ext-macl)# end
Using PACL with Access-Group Mode
You can use the access group mode to change the way PACLs interact with other ACLs. For example, if
a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL
P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the
traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode
command can be used to specify one of the desired behaviors that are defined below.
a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL
P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the
traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode
command can be used to specify one of the desired behaviors that are defined below.
The following modes are defined:
•
prefer port mode
—
If PACL is configured on a Layer 2 interface, then PACL takes effect and
overwrites the effect of other ACLs (Router ACL and VACL). If no PACL feature is configured on
the Layer 2 interface, other features applicable to the interface are merged and applied on the
interface. This is the default access group mode.
the Layer 2 interface, other features applicable to the interface are merged and applied on the
interface. This is the default access group mode.
•
prefer vlan mode
—
VLAN-based ACL features take effect on the port provided they have been
applied on the port and no PACLs are in effect. If no VLAN-based ACL features are applicable to
the Layer 2 interface, then the PACL feature already on the interface is applied.
the Layer 2 interface, then the PACL feature already on the interface is applied.
•
merge mode
—
Merges applicable ACL features before they are programmed into the hardware.
Note
Because output PACLs are mutually exclusive with VACL and Router ACLs, the access group mode does
not change the behavior of output traffic filtering.
not change the behavior of output traffic filtering.
Configuring Access-group Mode on Layer 2 Interface
To configure an access mode on a Layer 2 interface, perform this task:
Command
Purpose
Step 1
Switch# configure t
Enters global configuration mode.
Step 2
Switch(config)# interface
interface
Enters interface config mode.
Step 3
Switch(config-if)# [no]
access-group mode
{prefer {port | vlan} | merge}
Applies numbered or named ACL to the Layer 2 interface. The no prefix
deletes the IP or MAC ACL from the Layer 2 interface.
deletes the IP or MAC ACL from the Layer 2 interface.
Step 4
Switch(config)# show
running-config
Displays the access list configuration.