[c-nsp] PACL on C6K

Rubens Kuhl Jr. rubensk at gmail.com
Thu Sep 8 16:58:10 EDT 2005


> VALCs control traffic within a *VLAN*, PACLs control traffic in
> an out of a physical *port*. If you can't know (in advance) the
> address of the equipment, but do know the physical port, it can
> be hard to do the VACL, but very easy to do the PACL.

I usually prefer having servers with fixed IP addresses, servers on
different subnets than workstations, and no differentation between
workstations, so I never ran into such a need.
Time to make your SE talk on your behalf, but in the meantime using
DHCP to map to fixed IP addresses for some stations may be your only
workaround.

I suppose are you providing different services (network allowed/block
services) to different stations. Someone reading this thread that only
needs spoof control will probably benefit from turning Port Security,
DHCP Snooping, Dynamic ARP Inspection and IP Source Guard.


> It's funny that all the other platforms can do it -- even the
> low-end 2950 has a form of PACL -- while the top-of-the-line
> can't[1].

> [1] Not that it should be such a great surprise... There are many
> other switching features lacking from C6K Native IOS.

I've hit one such feature lack trying to apply Private VLAN and
port-security to the same port. It works on Cat 4500, but not on the
C6K IOS release I was using. The feature request was accepted by
Engineering and is probably available now.


Rubens



More information about the cisco-nsp mailing list