https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028934#M329414 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/459403">@sivam siva</a>&nbsp;Hello,</P> <P>&nbsp;</P> <P>Hello,</P> <P>This is applied under a physical interface that belongs to a vlan and is perfect valid.</P> <P>&nbsp;</P> <P>"<STRONG>The port ACL (PACL</STRONG>) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software)."</P> <P>&nbsp;</P> <P>"<STRONG>VLAN ACLs (VACLs)</STRONG> can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLs are processed in the ACL TCAM hardware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware."</P> <P>&nbsp;</P> <P>Look here more detail: <A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html</A></P> Thu, 13 Feb 2020 11:46:11 GMT Jaderson Pessoa 2020-02-13T11:46:11Z https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028886#M329408 <P>Hi</P><P>&nbsp;</P><P>!</P><P>interface GigabitEthernet1/0/1</P><P>&nbsp;switchport access vlan 17</P><P>&nbsp;<STRONG>switchport mode access</STRONG></P><P>&nbsp;switchport voice vlan 710</P><P>&nbsp;switchport port-security violation restrict</P><P>&nbsp;switchport port-security aging time 2</P><P>&nbsp;switchport port-security aging type inactivity</P><P>&nbsp;switchport port-security</P><P>&nbsp;device-tracking attach-policy xxxxxxxx</P><P><STRONG>&nbsp;ip access-group 102 in</STRONG></P><P>authentication event fail action next-method</P><P>&nbsp;authentication host-mode multi-auth</P><P>&nbsp;authentication open</P><P>&nbsp;authentication order dot1x mab</P><P>&nbsp;authentication priority mab dot1x</P><P>&nbsp;authentication port-control auto</P><P>&nbsp;authentication timer reauthenticate server</P><P>&nbsp;authentication timer inactivity server</P><P>&nbsp;authentication violation restrict</P><P>&nbsp;</P><P>can anyone tell why this ACL is applied in layer 2 interface, I studied VACL in which I learned that ACL will not work in the layer 2 interface.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>Siva</P> Thu, 13 Feb 2020 10:10:05 GMT https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028886#M329408 sivam siva 2020-02-13T10:10:05Z https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028902#M329409 <P>Hi there,</P> <P>This is a 'Port ACL' and is perfectly valid.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0111001.html#ID90" target="_blank">https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0111001.html#ID90</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Thu, 13 Feb 2020 10:30:06 GMT https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028902#M329409 Seb Rupik 2020-02-13T10:30:06Z https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028924#M329411 <P>Perhaps you are confused because a L3/L4 ACL is applied on a L2-switch. But L2-switch only refers to the forwarding decision which is done based on L2 information. The switch can look into the packets more deeply to do some security-control like these Access-Lists.</P> Thu, 13 Feb 2020 11:16:08 GMT https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028924#M329411 Karsten Iwen 2020-02-13T11:16:08Z https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028934#M329414 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/459403">@sivam siva</a>&nbsp;Hello,</P> <P>&nbsp;</P> <P>Hello,</P> <P>This is applied under a physical interface that belongs to a vlan and is perfect valid.</P> <P>&nbsp;</P> <P>"<STRONG>The port ACL (PACL</STRONG>) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software)."</P> <P>&nbsp;</P> <P>"<STRONG>VLAN ACLs (VACLs)</STRONG> can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLs are processed in the ACL TCAM hardware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware."</P> <P>&nbsp;</P> <P>Look here more detail: <A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html</A></P> Thu, 13 Feb 2020 11:46:11 GMT https://community.cisco.com/t5/routing-and-sd-wan/access-list-in-layer-2-interface/m-p/4028934#M329414 Jaderson Pessoa 2020-02-13T11:46:11Z