15-68
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring Port-Based ACLs
Interacting with High Availability
After a supervisor engine switchover, the VACL and QoS ACL configuration on the standby supervisor
engine is consistent with the configuration on the active supervisor engine, just as in the case where the
VACL and QoS ACL configuration is saved in NVRAM. The only difference is that the data is stored in
DRAM, but the functional behavior of a switchover does not change.
Configuring Port-Based ACLs
Note
This feature is available only with Supervisor Engine 720 with PFC3A/PFC3B/PFC3BXL and
Supervisor Engine 32 with PFC3B/PFC3BXL.
These sections describe the port ACLs (PACLs):
•
PACL Configuration Overview, page 15-68
•
PACL Configuration Guidelines, page 15-69
•
Configuring PACLs from the CLI, page 15-72
•
PACL Configuration Examples, page 15-76
PACL Configuration Overview
Before software release 8.3(1), there were only two types of access lists—the VACLs and Cisco IOS
ACLs. The VACLs were applied to Layer 2 and Layer 3 forwarded traffic while Cisco IOS ACLs were
applied only to the Layer 3 forwarded packets. Both access list types were applied to the VLANs and
filtered traffic based on the packet header information.
In software release 8.3(1), there is an additional type of access list—a PACL. A PACL is an access list that is
mapped to a physical port (typically, a VLAN is composed of many physical ports). A PACL provides you
with the extra granularity to filter traffic on a specific physical port. Like the VACLs, the PACLs are applied
to both the Layer 2 and Layer 3 forwarded packets.
Figure 15-9
shows the logical relationship between the access list types. A PACL is first applied on an
incoming packet on a physical port. If the packet is permitted by the PACL, it is filtered by the VACL
that is applied to the corresponding ingress VLAN. If the packet is Layer 3 forwarded and is permitted
by the VACL, it is filtered by the Cisco IOS ACL on the same VLAN. The same process happens in
reverse in the egress direction. However, there is currently no hardware support for the egress PACLs.
Figure 15-9
Logical Relationship Between Access List Types
PACL
In gress VACL
Ingress IOS ACL
Eg ress IOS ACL
Eg ress VACL
Layer-3 only
113300