02-13-2020 02:10 AM
Hi
!
interface GigabitEthernet1/0/1
switchport access vlan 17
switchport mode access
switchport voice vlan 710
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
device-tracking attach-policy xxxxxxxx
ip access-group 102 in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority mab dot1x
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
can anyone tell why this ACL is applied in layer 2 interface, I studied VACL in which I learned that ACL will not work in the layer 2 interface.
Thanks
Siva
Solved! Go to Solution.
02-13-2020 02:30 AM
Hi there,
This is a 'Port ACL' and is perfectly valid.
cheers,
Seb.
02-13-2020 02:30 AM
Hi there,
This is a 'Port ACL' and is perfectly valid.
cheers,
Seb.
02-13-2020 03:16 AM
Perhaps you are confused because a L3/L4 ACL is applied on a L2-switch. But L2-switch only refers to the forwarding decision which is done based on L2 information. The switch can look into the packets more deeply to do some security-control like these Access-Lists.
02-13-2020 03:46 AM
@sivam siva Hello,
Hello,
This is applied under a physical interface that belongs to a vlan and is perfect valid.
"The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software)."
"VLAN ACLs (VACLs) can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLs are processed in the ACL TCAM hardware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware."
Look here more detail: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide