Chapter 15
Configuring Access Control
Auxiliary VLANs (Applies to Merge-Mode Only)
You cannot configure merge mode on a port that is auxiliary-VLAN enabled. Conversely, a port that is
auxiliary-VLAN enabled cannot be changed to merge mode.
Private VLANs (Applies to Merge-Mode Only)
You can map the VACLs to either the primary or the secondary private VLAN. In contrast, you can map
only Cisco IOS ACLs to the primary VLANs. An ingress Cisco IOS ACL that is mapped to the primary
VLAN gets mapped to all the corresponding secondary VLANs and not to the primary VLAN. An egress
Cisco IOS ACL that is mapped to the primary VLAN gets mapped to the primary VLAN.
The ingress lookups on the private VLANs are performed on the secondary VLAN only. In merge mode,
the PACLs are merged with the ingress VACLs and Cisco IOS ACLs that are applied to the secondary
VLANs.
Port-VLAN Association Changes (Applies to Merge-Mode Only)
The port-VLAN association changes are allowed in all cases. However, when a port is configured in
merge mode, it is possible that a change in the port-VLAN association can result in a merge failure. In
such cases, the port is placed in "merge disable" mode.
Unmapping and then mapping a PACL, VACL, or Cisco IOS ACL automatically triggers a remerge. This
example shows where port 3/1 is associated with VLAN 1 and then VLAN 2:
Console> (enable) set port security-acl 3/1 merge
ACL interface is set to merge mode for port(s) 3/1.
Console> (enable) set security acl map ipacl1 3/1
ACL ipacl1 is successfully mapped to port(s) 3/1.
Console> (enable) set security acl map ipacl2 1
ACL ipacl2 is successfully mapped to VLAN 1.
Console> (enable) set security acl map ipacl3 2
ACL ipacl3 is successfully mapped to VLAN 2.
Console> (enable) set vlan 2 3/1
2003 Sep 05 22:34:50 %ACL-3-PACLMERGEFAILED:Failed to merge Security ACLs on Port(s) 3/1
with Vlan 2.
VLAN 2 modified.
VLAN 1 modified.
VLAN
---- -----------------------
2
Console> (enable) show port security-acl 3/1
Port
----- -------------- -------------- ----------------------
3/1
OL-8978-04
Mod/Ports
3/1
Interface Type Interface Type Interface Merge Status
config
runtime
merge
runtime
merge
(VLAN=2) disabled
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Port-Based ACLs
15-71