Configuring PACLs and VACLs in FLG (topic on SWITCH exam)
Hi guys,
Although "
I would be interested in hearing others experiences labbing PACLs for SWITCH. It seems that most of the features are available on the 6500 so I'm guessing we only need to know the theory rather than commands? I'm referring to PACLs specifically here, not VACLs.
Though - from reading Cisco documentation it seems like they are pretty straight forward:
Catalyst 6500 Release 12.2SX Software Configuration Guide - Port ACLs (PACLs) and VLAN ACLs (VACLs)* [Cisco Catalyst 6500 Series Switches] - Cisco Systems
"
Although "
Configure VACL and PACL" is listed as an exam topic for SWITCH, the Foundation Learning Guide only has a brief paragraph describing what PACLs are (p. 353). There is no configuration example, though there is for VACLs.
I would be interested in hearing others experiences labbing PACLs for SWITCH. It seems that most of the features are available on the 6500 so I'm guessing we only need to know the theory rather than commands? I'm referring to PACLs specifically here, not VACLs.
Though - from reading Cisco documentation it seems like they are pretty straight forward:
"
The CLI syntax for creating a PACL is identical to the syntax for creating a Cisco IOS ACL. An instance of an ACL that is mapped to a Layer 2 port is called a PACL. An instance of an ACL that is mapped to a Layer 3 interface is called a Cisco IOS ACL. The same ACL can be mapped to both a Layer 2 port and a Layer 3 interface."
It seems it's also possible to configure the "access-group mode" to set whether the PACL is preferred over VACLs and IOS ACLs or if it is merged with them.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
Comments
-
DarthVader Member Posts: 71 ■■□□□□□□□□I highly recommend that you go in prepared to configure VACL and PACL form start to finish. Don't go only by what you see in the study guide.
Pretty much anything in the Switch realm is fair game for Sims (Private VLANs, VACLs) as well as stuff like AAA and SNMP configs.
Good luck -
wave Member Posts: 342Thanks DarthVader.
But essentially a PACL and RACL are just regular IOS ACLs applied to different interface types correct? So the only really new thing here are VACLs?
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
DarthVader Member Posts: 71 ■■□□□□□□□□Yep, and the VACLs hve a few steps, no big deal though. Make sure you are very comfortable with Private VLANs and all aspects of STP
-
wave Member Posts: 342Noted.
Okay, one final question. I see on the 6500 that two modes are available for merging PACLs with other ACLS on the switch:
•Prefer port mode—If a PACL is configured on a Layer 2 interface, the PACL takes effect and overwrites the effect of other ACLs (Cisco IOS ACL and VACL). If no PACL feature is configured on the Layer 2 interface, other features applicable to the interface are merged and are applied on the interface.
•Merge mode—In this mode, the PACL, VACL, and Cisco IOS ACLs are merged in the ingress direction following the logical serial model shown in Figure 51-2. This is the default access group mode.
The mode is configured using "access-group mode" in interface configuration mode. I tried this on a 3560 and 3750 and the command wasn't available so it must be 6500 only. Do you know how the 3560/3750 handle merges? My guess is that they probably follow merge mode...
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP