Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
1
Replies

PACLs and VACLs compatibility on the 3560

ovt
Level 4
Level 4

‎01-23-2007 03:11 AM - edited ‎03-05-2019 01:55 PM

Hi!

Cisco docs say that:

"You can use input port ACLs, router ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map:

- When both an input port ACL and a VLAN map are applied, incoming packets received on ports with a port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map."

However, testing reveals that PACLs and VACLs can work together on the SAME L2 interface:

interface FastEthernet0/3

switchport access vlan 16

switchport mode access

ip access-group 104 in

S3650#sh access-l 104

Extended IP access list 104

10 deny icmp 172.16.16.0 0.0.0.255 host 172.16.11.100 echo

20 permit icmp 172.16.16.0 0.0.0.255 host 172.16.1.100 echo

30 permit ip any any

S3650#sh vlan filter

VLAN Map test is filtering VLANs:

16

S3650#sh vlan access-map

Vlan access-map "test" 10

Match clauses:

ip address: 100

Action:

drop

Vlan access-map "test" 20

Match clauses:

ip address: 102

Action:

forward

S3650#sh access-l 100

Extended IP access list 100

10 permit icmp 172.16.16.0 0.0.0.255 host 172.16.1.100 echo

S3650#sh access-l 102

Extended IP access list 102

10 permit ip any any

STEND#4

[Resuming connection 4 to 1.1.1.1 ... ]

Server3#ping 172.16.11.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.11.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Server3#ping 172.16.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Server3#ping 172.16.12.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.12.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

So, it seems that PACL is checked first, then VACL. This is a pure L2 3560 switch, 12.2(25)SEE2.

Am I missing something here?

Thx.

Labels:
0 Helpful
1 Reply 1

a-vazquez
Level 6
Level 6

‎01-29-2007 11:09 AM

An L2 PACL (port-based ACL) overrides any VACLs or RACLs on the same VLAN for ingress traffic. In other words, if you have a PACL applied to a port in a VLAN then traffic coming in that port will only hit the PACL and not any VACL or RACLs that also happen to be applied to the same VLAN. Traffic coming in another port in the same VLAN (for other ports that don't have PACLs on them will hit the VACL and RACL if they're configured.Refer URL

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swacl.htm#wp1543135

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card