cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1346
Views
5
Helpful
3
Replies

Access-list in layer 2 interface

sivam siva
Level 3
Level 3

Hi

 

!

interface GigabitEthernet1/0/1

 switchport access vlan 17

 switchport mode access

 switchport voice vlan 710

 switchport port-security violation restrict

 switchport port-security aging time 2

 switchport port-security aging type inactivity

 switchport port-security

 device-tracking attach-policy xxxxxxxx

 ip access-group 102 in

authentication event fail action next-method

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab

 authentication priority mab dot1x

 authentication port-control auto

 authentication timer reauthenticate server

 authentication timer inactivity server

 authentication violation restrict

 

can anyone tell why this ACL is applied in layer 2 interface, I studied VACL in which I learned that ACL will not work in the layer 2 interface.

 

Thanks 

Siva

1 Accepted Solution
3 Replies 3

Perhaps you are confused because a L3/L4 ACL is applied on a L2-switch. But L2-switch only refers to the forwarding decision which is done based on L2 information. The switch can look into the packets more deeply to do some security-control like these Access-Lists.

Jaderson Pessoa
VIP Alumni
VIP Alumni

@sivam siva Hello,

 

Hello,

This is applied under a physical interface that belongs to a vlan and is perfect valid.

 

"The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs are applied only on the ingress traffic. The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software)."

 

"VLAN ACLs (VACLs) can provide access control for all packet s that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLs are processed in the ACL TCAM hardware. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware."

 

Look here more detail: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

Jaderson Pessoa
*** Rate All Helpful Responses ***
Review Cisco Networking for a $25 gift card