62-32
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring PACLs
Step 2
Use the IP access-group, IPv6 traffic-filter, or
mac access-group interface
command to apply IPv4,
IPv6, or MAC ACLs to one or more Layer 2 interfaces.
PACL Configuration Guidelines
When configuring PACLs, consider these guidelines:
•
There can be at most one IPv4, one IPv6, and one MAC access list applied to the same Layer 2
interface per direction.
•
The IPv4 access list filters only IPv4 packets, the IPv6 access list filters only IPv6 packets, and the
MAC access list filters only non-IP packets.
•
The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the
hardware resources on the switch. Those hardware resources are shared by various ACL features
(for example, RACL, VACL) that are configured on the system. If insufficient hardware resources
to program PACL exist in hardware, the actions for input and output PACLs differ:
–
For input PACLs, some packets are sent to CPU for software forwarding.
–
For output PACLs, the PACL is disabled on the port.
•
If insufficient hardware resources exist to program the PACL, the output PACL is not applied to the
port, and you receive a warning message.
•
The input ACL logging option is supported, although logging is not supported for output ACLs.
•
The access group mode can change the way PACLs interact with other ACLs. To maintain consistent
behavior across Cisco platforms, use the default access group mode.
•
If a PACL is removed when there are active sessions on a port, a hole (permit ip any any) is installed
on the port.
Removing the Requirement for a Port ACL
Prior to Cisco IOS Release 12.2(54)SG, a standard port ACL was necessary if you planned to download
an ACL from a AAA server. This was because ACL infrastructure was insufficient to provide dynamic
creation of access control entries without associating an ACL with the port.
Starting with Cisco IOS Release 12.2(54)SG, configuring a port ACL is not mandatory. If a port ACL is
not configured on the port (by entering the
ip access-group
number
in
command), a default ACL
(AUTH-DEFAULT-ACL) is attached automatically to the port when an ACL is downloaded. It allows
only DHCP traffic and consists of the following ACEs:
permit udp any range bootps 65347 any range bootpc 65348
permit udp any any range bootps 65347
deny ip any any.
AUTH-DEFAULT-ACL is automatically created. To modify it, enter the following command:
ip access-list extended AUTH-DEFAULT-ACL
This ACL is not nvgened. AUTH-DEFAULT-ACL is attached provided there are sessions applying
dynamic ACLs (Per-user/Filter-Id/DACL). AUTH-DEFAULT-ACL is removed when the last
authenticated session with policies is cleared. It remains attached to the port provided at least one session
is applying dynamic policies.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...