Catalyst 6500 Series Software Configuration Guide, 6.3 and 6.4 - Configuring Access Control [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Configuring Access Control

Understanding How ACLs Work

Hardware Requirements

Supported ACLs

QoS ACLs

Cisco IOS ACLs

VACLs

VACL Overview

ACEs Supported in VACLs

Handling Fragmented and Unfragmented Traffic

Applying Cisco IOS ACLs and VACLs on VLANs

Bridged Packets

Routed Packets

Multicast Packets

Using Cisco IOS ACLs in your Network

Hardware and Software Handling of Cisco IOS ACLs with PFC

Security Cisco IOS ACLs

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Hardware and Software Handling of Cisco IOS ACLs with PFC2

Security Cisco IOS ACLs

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Using VACLs with Cisco IOS ACLs

Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface

Using the Implicit Deny Action

Grouping Actions Together

Limiting the Number of Actions

Avoiding Layer 4 Port Information

Estimating Merge Results

Examples

Guidelines for Using Layer 4 Operations

Determining Layer 4 Operation Usage

Determining Logical Operation Unit Usage

Using VACLs in your Network

Wiring Closet Configuration

Redirecting Broadcast Traffic to a Specific Server Port

Restricting the DHCP Response for a Specific Server

Denying Access to a Server on Another VLAN

Restricting ARP Traffic

Configuring ACLs on Private VLANs

Capturing Traffic Flows

Unsupported Features

Configuring VACLs

VACL Configuration Guidelines

VACL Configuration Summary

Configuring VACLs From the CLI

Creating an IP VACL and Adding ACEs

Creating an IPX VACL and Adding ACEs

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Committing ACLs

Mapping a VACL to a VLAN

Showing the Contents of a VACL

Showing VACL-to-VLAN Mapping

Clearing the Edit Buffer

Removing ACEs from Security ACLs

Clearing the Security ACL Map

Displaying VACL Management Information

Capturing Traffic Flows on Specified Ports

Configuring VACL Logging

Configuring and Storing VACLs and QoS ACLs in Flash Memory

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

Manually Moving the VACL and QoS ACL Configuration to Flash Memory

Running with the VACL and QoS ACL Configuration in Flash Memory

Moving the VACL and QoS ACL Configuration Back to NVRAM

Redundancy Synchronization Support

Interacting with High Availability

Configuring Policy-Based Forwarding

Understanding How Policy-Based Forwarding Works

Hardware and Software Requirements

Configuring Policy-Based Forwarding

Enabling PBF and Specifying a MAC Address for the PFC2

Configuring VACLs for PBF

Displaying PBF Information

Clearing Entries in PBF VACLs

Rolling Back Adjacency Table Entries in the Edit Buffer

Configuring Hosts for PBF

Linux

Sun Workstation

MS-Windows/NT/2000 Hosts

Policy-Based Forwarding Configuration Example

Configuring Access Control

This chapter describes how to configure access control lists (ACLs) on the Catalyst 6000 family switches. Configuration of the ACLs depends on the type of hardware you install on your supervisor engine. See the "Hardware Requirements" section for details.

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6000 Family Command Reference publication.

This chapter consists of these sections:

•Understanding How ACLs Work

•Hardware Requirements

•Supported ACLs

•Applying Cisco IOS ACLs and VACLs on VLANs

•Using Cisco IOS ACLs in your Network

•Using VACLs with Cisco IOS ACLs

•Using VACLs in your Network

•Unsupported Features

•Configuring VACLs

•Configuring and Storing VACLs and QoS ACLs in Flash Memory

•Configuring Policy-Based Forwarding

Note Except where specifically differentiated, the information and procedures in this chapter apply to both Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and Supervisor Engine 1 with Layer 3 Switching Engine II (Policy Feature Card or PFC).

Understanding How ACLs Work

Traditionally, switches operated at Layer 2 only; switches switched traffic within a VLAN and routers routed traffic between VLANs. Catalyst 6000 family switches with the Multilayer Switch Feature Card (MSFC) can accelerate packet routing between VLANs by using Layer 3 switching (Multilayer Switching [MLS]). The switch first bridges the packet, the packet is then routed internally without going to the router, and then the packet is bridged again to send it to its destination. During this process, the switch can access control all packets it switches, including packets bridged within a VLAN.

Cisco IOS ACLs provide access control for routed traffic between VLANs, and VLAN ACLs (VACLs) provide access control for all packets.

Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features such as access control (security), encryption, policy-based routing, and so on. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.

VACLs can provide access control based on Layer 3 addresses for IP and IPX protocols. Unsupported protocols are access controlled through MAC addresses. A VACL is applied to all packets (bridged and routed) and can be configured on any VLAN interface. Once a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed.

Hardware Requirements

The hardware that is required to configure ACLs on Catalyst 6000 family switches is as follows:

•Cisco IOS ACLs:

–Policy Feature Card (PFC) and MSFC or MSFC2

–PFC2 and MSFC2

•VACLs and QoS ACLs:

–PFC

–PFC2

Note The QoS feature set supported on your switch is determined by which switching engine daughter card is installed on the supervisor engine. See Chapter 41, "Configuring QoS" for more information.

Supported ACLs

These sections describe the ACLs supported by the Catalyst 6000 family switches:

•QoS ACLs

•Cisco IOS ACLs

•VACLs

QoS ACLs

You can configure QoS ACLs on the switch; see Chapter 41, "Configuring QoS."

Cisco IOS ACLs

Cisco IOS ACLs are configured on the MSFC VLAN interfaces. An ACL provides access control and consists of an ordered set of access control entries (ACEs). Many other features in Cisco IOS software also use ACLs for specifying flows. For example, Web Cache Redirect (through the Web Cache Coordination Protocol [WCCP]) uses ACLs to specify HTTP flows that can be redirected to a Web cache engine.

Most Cisco IOS features are applied on interfaces for specific directions (inbound versus outbound). However, some features use ACLs globally. For such features, ACLs are applied on all interfaces for a given direction. As an example, TCP intercept uses a global ACL that is applied on all interfaces for outbound direction.

One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it multiple times.

Cisco IOS software examines ACLs that are associated with features that are configured on a given interface and a direction. As packets enter the router on a given interface, Cisco IOS software examines ACLs that are associated with all inbound features that are configured on that interface for the following:

•Inbound access control ACLs (standard, extended, and/or reflexive)

•Encryption ACLs (not supported on the MSFC)

•Policy routing ACLs

•Network Address Translation (NAT) for outside-to-inside translation

After packets are routed and before they are forwarded out to the next hop, Cisco IOS examines all ACLs that are associated with the outbound features that are configured on the egress interface for the following:

•Outbound access control ACLs (standard, extended, and/or reflexive)

•Encryption ACLs (not supported on the MSFC)

•NAT ACLs (for inside-to-outside translation)

•WCCP ACL

•TCP intercept ACL

VACLs

The following sections describe VACLs:

•VACL Overview

•ACEs Supported in VACLs

•Handling Fragmented and Unfragmented Traffic

VACL Overview

VACLs can access control all traffic. You can configure VACLs on the switch to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs are not defined by direction (input or output).

You can configure VACLs on Layer 3 addresses for IP and IPX. All other protocols are access controlled through MAC addresses and Ethertype using MAC VACLs.

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

You can enforce VACLs only on packets going through the Catalyst 6000 family switch; you cannot enforce VACLs on traffic between hosts on a hub or another switch connected to the Catalyst 6000 family switch.

ACEs Supported in VACLs

A VACL contains an ordered list of access control entries (ACEs). Each VACL can contain ACEs of only one type. Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. An action is associated with each ACE that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6000 family switches support three types of ACEs in the hardware:

•IP ACEs

•IPX ACEs

•Ethernet ACEs

Table 16-1 lists the parameters associated with each ACE type.

Table 16-1 ACE Types and Parameters

ACE Type

TCP or UDP¹

ICMP1

Other IP1

IPX

Ethernet²

Layer 4 parameters

Source port

Source port operator

Destination port

Destination port operator

ICMP code1

N/A

ICMP type

N/A

Layer 3 parameters

IP ToS byte

IP ToS byte

IP ToS byte

IP source address

IP source address

IP source address

IPX source network

IP destination address

IP destination address

IP destination address

IPX destination network

IPX destination node

TCP or UDP

ICMP

Other protocol

IPX packet type

Layer 2 parameters

Ethertype

Ethernet source address

Ethernet destination address

¹IP ACEs.

²For Ethernet packets that are not IP version 4 or IPX.

Handling Fragmented and Unfragmented Traffic

TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4 source/destination ports). This situation makes it difficult to enforce security based on the application. However, you can identify fragments and distinguish them from the rest of the TCP/UDP traffic.

Layer 4 parameters of ACEs can filter unfragmented traffic and fragmented traffic with fragments that have offset 0. IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot be filtered. The following examples show how ACEs handle packet fragmentation.

This example shows that if the traffic from 1.1.1.1 port 68 is fragmented, only the first fragment goes to port 4/3, and the rest of the traffic from port 68 does not hit this entry.
redirect 4/3 tcp host 1.1.1.1 eq 68 host 255.255.255.255
This example shows that the traffic coming from 1.1.1.1 port 68 and going to 2.2.2.2 port 34 is permitted. If packets are fragmented, the first fragment hits this entry and is permitted; fragments that have an offset other than 0 are also permitted as a default result for fragments.
permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
This example shows that the fragment that has offset 0 of the traffic from 1.1.1.1 port 68 going to 2.2.2.2 port 34 is denied. The fragments that have an offset other than 0 are permitted as a default.
deny tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
In releases prior to software release 6.1(1), the fragment filtering was completely transparent; you would type an ACE such as permit tcp .... port eq port_number and the software would implicitly install the following ACE at the top of the ACL: permit tcp any any fragments.

In software release 6.1(1) and later releases, there is a fragment option. If you do not specify the fragment keyword, the behavior is the same as in previous releases. If you specify the fragment keyword, the system does not automatically install a global permit statement for fragments. This keyword allows you to control how fragments are handled.

In this example, 10.1.1.2 is configured to serve HTTP connections. If you do not use a fragment ACE, all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added automatically at the top of the ACL as follows:
permit tcp any any fragments
1. permit tcp any host 10.1.1.2 eq www

2. deny ip any host 10.1.1.2

3. permit ip any any

In the above example if you change entry 1 as follows:

1. deny tcp any host 10.1.1.2 eq www

there will not be a permit tcp any any fragments ACE added at the top of ACL. If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

When you specify the fragment keyword, the system does not install the global permit TCP or UDP fragments statement. When you specify the fragment keyword for at least one ACE, the software implicitly installs ACEs to permit flows to a specific IP address (or subnet) that you specify.

In this ACL example, the deny tcp any host 10.1.1.2 fragment entry stops fragmented traffic going to all TCP ports on host 10.1.1.2. Later in the ACL, the permit udp any host 10.1.1.2 eq 69 entry allows clients to connect to the TFTP server 10.1.1.2. The system automatically installs a permit for all fragments of udp traffic to host 10.1.1.2 ACE; otherwise, fragments would be denied by the entry deny ip any host 10.1.1.2.

1. deny tcp any host 10.1.1.2 fragment

2. permit tcp any host 10.1.1.2 eq www

3. permit udp any host 10.1.1.2 eq 69

4. permit udp any gt 1023 10.1.1.2 gt 1023

5. deny ip any host 10.1.1.2

6. permit ip any any

If you explicitly want to stop fragmented UDP traffic to host 10.1.1.2, enter deny udp any host 10.1.1.2 fragment before entry number 3 as shown in this example:

[...]

3. deny udp any host 10.1.1.2 fragment

4. permit udp any host 10.1.1.2 eq 69

5. permit udp any gt 1023 10.1.1.2 gt 1023

[...]

Applying Cisco IOS ACLs and VACLs on VLANs

This section describes how to apply Cisco IOS ACLs and VACLs to the VLAN for bridged packets, routed packets, and multicast packets.

These sections show how ACLs and VACLs are applied:

•Bridged Packets

•Routed Packets

•Multicast Packets

Bridged Packets

Figure 16-1 shows how an ACL is applied on bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN.

Figure 16-1 Applying ACLs on Bridged Packets

Routed Packets

Figure 16-2 shows how ACLs are applied on routed/Layer 3-switched packets. For routed/Layer 3-switched packets, the ACLs are applied in the following order:

1. VACL for input VLAN

2. Input Cisco IOS ACL

3. Output Cisco IOS ACL

4. VACL for output VLAN

Figure 16-2 Applying ACLs on Routed Packets

Multicast Packets

Figure 16-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order:

1. Packets that need multicast expansion:

a. VACL for input VLAN

b. Input Cisco IOS ACL

2. Packets after multicast expansion:

a. Output Cisco IOS ACL

b. VACL for output VLAN

3. Packets originating from router:

a. VACL for output VLAN

Figure 16-3 Applying ACLs on Multicast Packets

Using Cisco IOS ACLs in your Network

Note Configuring Cisco IOS ACLs on the Catalyst 6000 family switch routed-VLAN interfaces is the same as configuring ACLs on other Cisco routers. To configure Cisco IOS ACLs, see the "Unsupported Features" section and the "VACL Configuration Guidelines" section. In addition, refer to the Cisco IOS configuration guides and command reference publication. For example, to configure ACLs for IP, refer to the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.

When a feature is configured on the router to process traffic (such as NAT), the Cisco IOS ACL associated with the feature determines the specific traffic that is bridged to the router instead of being Layer 3 switched. The router then applies the feature and routes the packet normally. Note that there are some exceptions to this process as described in the "Hardware and Software Handling of Cisco IOS ACLs with PFC" section.

Note In systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs.

Caution For PFC: By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachables when a packet is denied by an access group. These access-group denied packets are not dropped in the hardware but are bridged to the MSFC so that the MSFC can generate the ICMP-unreachable message. To drop access-group denied packets in the hardware, you must disable ICMP unreachables using the no ip unreachables interface configuration command. Note that the ip unreachables command is enabled by default.

For PFC2: If IP unreachables or IP redirect is enabled on an interface, the deny is performed in hardware although a small number of packets are sent to the MSFC2 to generate the appropriate ICMP-unreachable messages.

These sections describe hardware and software handling of ACLs with PFC and PFC2:

•Hardware and Software Handling of Cisco IOS ACLs with PFC

•Hardware and Software Handling of Cisco IOS ACLs with PFC2

Hardware and Software Handling of Cisco IOS ACLs with PFC

This section describes hardware and software handling of Cisco IOS ACLs with the PFC.

Note For information on Cisco IOS ACLs with PFC2, see the "Hardware and Software Handling of Cisco IOS ACLs with PFC2" section.

ACL feature processing requires forwarding of some flows by the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require logging as specified by the ACL are handled in the software without impacting non-log flow forwarding in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for packets access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software:

•Security Cisco IOS ACLs

•Reflexive ACLs

•TCP Intercept

•Policy Routing

•WCCP

•NAT

•Unicast RPF Check

•Bridge-Groups

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC are as follows:

•The flows that match a "deny" statement in a security ACL are dropped by the hardware if "ip unreachables" is disabled. The flows matching a "permit" statement are switched in the hardware.

•Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware.

•IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software, without impacting other flows.

•Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not supported.

•IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, and/or destination node. If the ACL contains any other parameters, it is handled in the software.

•IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, destination node, and/or protocol type.

•ACL flows requiring logging are handled in the software without impacting non-log flow forwarding in the hardware.

Reflexive ACLs

Up to 512 simultaneous reflexive sessions are supported in the hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full flow.

TCP Intercept

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. This process ensures that connection attempts from unreachable hosts never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

Policy Routing

Policy routing-required flows are handled in the software without impacting non-policy routed flow forwarding in the hardware. When a route map contains multiple "match" clauses, all conditions imposed by these match clauses must be met before a packet is policy routed. However, for route maps containing both "match ip address" and "match length," all traffic matching the ACL in the "match ip address" clause is forwarded to the software regardless of the match length criteria. For route maps that only contain match length clauses, all packets received on the interface are forwarded to the software.

When you enable hardware policy routing using the mls ip pbr global command, all policy routing occurs in the hardware.

Caution If you use the mls ip pbr command to enable policy routing, policy routing is applied in the hardware for all interfaces regardless of which interface was configured for policy routing.

WCCP

HTTP requests subject to Web Cache Coordination Protocol (WCCP) redirection are handled in the software; HTTP replies from the server and the Cache Engine are handled in the hardware.

NAT

NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC. For ACL-based RPF checks, traffic denied by the unicast RPF ACL is forwarded to the MSFC for RPF validation.

Caution With ACL-based unicast RPF, packets denied by the ACL are sent to the CPU for RPF validation. In the event of DOS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU. Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for ACL-based RPF check is not supported.

Bridge-Groups

Cisco IOS bridge-group ACLs are handled in the software.

Hardware and Software Handling of Cisco IOS ACLs with PFC2

This section describes hardware and software handling of Cisco IOS ACLs with the PFC2.

ACL feature processing requires forwarding some flows to the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require logging as specified by the ACL, are handled in the software without impacting non-log flow forwarding in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for packets access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software in systems with PFC2:

•Security Cisco IOS ACLs

•Reflexive ACLs

•TCP Intercept

•Policy Routing

•WCCP

•NAT

•Unicast RPF Check

•Bridge-Groups

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC2 are as follows:

•If either the "ip unreachables" or "ip redirect" options are enabled, most of the packets of the flows that match a "deny" statement in an ACL are dropped by the hardware, only a few packets are processed in software in order for the router to send the appropriate ICMP-unreachable message.

•Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware.

•IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software, without impacting other flows.

•Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not supported.

•IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, and/or destination node. If the ACL contains any other parameters, it is handled in the software.

•IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, destination node, and/or protocol type.

•ACL flows requiring logging are handled in the software without impacting non-log flow forwarding in the hardware.

Reflexive ACLs

ICMP packets are handled in the software. For TCP/UDP flows, once the flow is established, they are handled in hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full flow.

TCP Intercept

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. This process ensures that connection attempts from unreachable hosts never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

The hardware support for TCP intercept on a PFC2 is as follows:

1. Once the TCP intercept feature has been configured, all TCP SYN packets matching the ACEs with a permit clause in the TCP intercept ACL and which are permitted by the security ACL are sent to the software to apply the TCP intercept functionality. This process occurs even if the security ACL does not have the SYN flag specified.

2. If a connection is established successfully, the following applies:

a. If the TCP intercept is using intercept mode with timeout, all traffic belonging to the given connection/flow is handled in the software.

b. For other modes of TCP intercept, once the connection is successfully established, the software installs a hardware shortcut to switch the rest of the flow in the hardware.

3. If a connection is not established successfully, there cannot be any other traffic belonging to that flow.

Policy Routing

Policy routing-required flows are handled in hardware or software depending on the route map. If the route map contains only a "match ip address" and the "set" clause contains the "next hop" and the next hop is reachable, then the packet is forwarded in hardware. When a route map contains multiple "match" clauses, all conditions imposed by these match clauses must be met before a packet is policy routed. However, for route maps containing both a match ip address and match length, all traffic matching the ACL in the match ip address clause is forwarded to the software regardless of the match length criteria. For route maps that only contain match length clauses, all packets received on the interface are forwarded to the software.

Note The mls ip pbr command is not required (and not supported) on PFC2.

WCCP

HTTP requests subject to WCCP redirection are handled in the software; HTTP replies from the server and the Cache Engine are handled in the hardware.

NAT

NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC2. For ACL-based RPF checks, traffic denied by the unicast RPF ACL is forwarded to the MSFC2 for RPF validation.

Caution With ACL-based unicast RPF, packets denied by the ACL are sent to the CPU for RPF validation. In the event of DOS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU. Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for ACL-based RPF check is not supported.

Bridge-Groups

Cisco IOS bridge-group ACLs are handled in the software.

Using VACLs with Cisco IOS ACLs

To access control both bridged and routed traffic, you can use VACLs only or a combination of Cisco IOS ACLs and VACLs. You can define Cisco IOS ACLs on both input and output routed-VLAN interfaces, and you can define a VACL to access control the bridged traffic.

If a flow matches a VACL deny or redirect clause in the ACL, irrespective of the IOS ACL configuration, the flow is denied or redirected. The following caveats apply to IOS ACLs when used with VACLs:

•Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.

•NAT—VACLs are applied on packets before NAT translation. Note that if the translated flow should not be access controlled, the flow might get access controlled after the translation because of the VACL configuration.

Note VACLs have an implicit deny at the end of the list; a packet is denied if it does not match any VACL ACE.

These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4 operations:

•Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface

•Guidelines for Using Layer 4 Operations

Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface

Follow these guidelines when you need to configure a Cisco IOS ACL and a VACL on the same VLAN. These guidelines do not apply to configurations where you are mapping Cisco IOS ACLs and VACLs on different VLANs.

The Catalyst 6000 family switch hardware provides one lookup for security ACLs for each direction (input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.

If you must configure a Cisco IOS ACL and a VACL on the same VLAN, use the following guidelines for both Cisco IOS ACL and VACL configuration.

Note To display the percentage of ACL storage being used, enter the show security acl resource-usage command.

These sections provide Cisco IOS ACL and VACL configuration guidelines and examples:

•Using the Implicit Deny Action

•Grouping Actions Together

•Limiting the Number of Actions

•Avoiding Layer 4 Port Information

•Estimating Merge Results

•Examples

Using the Implicit Deny Action

If possible, use the implicit deny action at the end of an ACL (deny any any) and define ACEs to permit only allowed traffic. You can achieve this same effect by defining all the deny entries, and at the end of the list specifying permit ip any any (see Example 1).

Grouping Actions Together

To define multiple actions in an ACL (permit, deny, redirect), group each action type together. Example 3 shows what can happen when you do not group each type together. In the example, the deny action in line 6 was grouped with permit actions. If this deny action is removed, the result of merging would be 53 entries, instead of 329.

Limiting the Number of Actions

An ACL with only permit ACEs has two actions: permit and deny (because of the implicit deny at the end of the list). An ACL with permit and redirect has three actions: permit, redirect, and deny (because of the implicit deny at the end of the list).

When configuring an ACL, the best merge results are obtained when you specify only two different actions: permit and deny, redirect and permit, or redirect and deny.

To specify a redirect and deny ACL, do not use any permit ACEs. To specify a redirect and permit ACL, use permit ACEs, redirect ACEs, and for the last ACE, specify permit ip any any. If you specify permit ip any any, you will override the implicit deny ip any at the end of the list (see Example 4).

Avoiding Layer 4 Port Information

Avoid including Layer 4 information in an ACL; adding this information will complicate the merging process. You will obtain the best merge results if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).

If you need to specify the full flow, see the recommendations in the "Using the Implicit Deny Action" section, "Grouping Actions Together" section, and Example 6. If you cannot follow the recommendations because the ACL has both IP and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on IP addresses.

Estimating Merge Results

If you follow the ACL guidelines when configuring ACLs, you can get a rough estimate of the merge results for ACLs.

The following example uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:

size of ACL C = (size of ACL A) x (size of ACL B) x (2)

If Layer 4 port information was specified, the upper limit could be higher.

Examples

These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.

Example 1

This example shows that the VACL does not follow the recommended guidelines (see line 9) and the resultant merge increases the number of ACEs:
******** VACL  ***********
1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15
2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps
3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs
5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp
6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023
7  permit tcp any host 194.72.6.52
8  permit tcp any host 194.72.6.52 eq 113
9  deny tcp any host 194.72.6.51 eq ftp
10 permit tcp any host 194.72.6.51 eq ftp-data
11 permit tcp any host 194.72.6.51
12 permit tcp any eq domain host 194.72.6.51
13 permit tcp any host 194.72.6.51 gt 1023
14 permit ip  any host 1.1.1.1
******** IOS ACL ************
1  deny ip any host 239.255.255.255
2  permit ip any any
******** MERGE **********
has 91 entries entries
Example 2

In Example 1, if you follow the guidelines and remove line 9 and modify lines 11 and 12, you get the following equivalent ACL with improved merge results (note that a deny ACE is not specified):
******** VACL  **********
1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15
2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps
3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs
5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp
6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023
7  permit tcp any host 194.72.6.52
8  permit tcp any host 194.72.6.52 eq 113
9  permit tcp any host 194.72.6.51 eq ftp-data
10 permit tcp any host 194.72.6.51 neq ftp
11 permit tcp any eq domain host 194.72.6.51 neq ftp
12 permit tcp any host 194.72.6.51 gt 1023
13 permit ip  any host 1.1.1.1
******** IOS ACL ************
1  deny ip any host 239.255.255.255
2  permit ip any any
******** MERGE ***********
has 78 entries
Example 3

This example shows the VACL does not follow the recommended guidelines, and the resultant merge significantly increases the number of ACEs:
******** VACL  ***********
1  deny ip 0.0.0.0 255.255.255.0 any
2  deny ip 0.0.0.255 255.255.255.0 any
3  deny ip any 0.0.0.0 255.255.255.0
4  permit ip any host 239.255.255.255
5  permit ip any host 255.255.255.255
6  deny ip any 0.0.0.255 255.255.255.0
7  permit tcp any range 0 65534 any range 0 65534
8  permit udp any range 0 65534 any range 0 65534
9  permit icmp any any
10 permit ip any any
******** IOS ACL **********
1  deny ip any host 239.255.255.255
2  permit ip any any
******** MERGE **********
has 329 entries
Example 4

This example shows that the VACL does not follow the recommended guidelines (three different actions are specified), and the resultant merge significantly increases the number of ACEs:
******** VACL  ***********
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 deny tcp any any lt 30
4 deny udp any any lt 30
5 permit ip any any
*******  IOS ACL *********** 
1  deny ip any host 239.255.255.255
2  permit ip any any
*******  MERGE ********** 
has 142 entries
Example 5

This example shows the VACL has two different actions specified and the merge results are significantly improved:
******** VACL  ***********
1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255
2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255
3 permit ip any any
*******  IOS ACL ***********
1  deny ip any host 239.255.255.255
2  permit ip any any
*******  MERGE **********
has 4 entries
Example 6

This example shows that applying the merging guidelines on a large Cisco IOS ACL (no Layer 4 port information is specified on the Cisco IOS ACL), produces a merge result of 801 entries:
******** VACL **********
1 redirect 4/25 tcp host 192.168.1.67 255.255.255.255 0.0.0.0
2 redirect 4/25 udp host 192.168.1.67 255.255.255.255 0.0.0.0
3 redirect 4/25 icmp host 192.168.1.67 host 255.255.255.255
4 redirect 4/25 ip host 192.168.1.67 host 255.255.255.255
5 deny tcp any any lt 30
6 deny udp any any lt 30    
7 permit ip any any
******** IOS ACL *********** 
1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15  
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15 
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******** MERGE **********
has 801 ACEs
Example 7

This example shows that the same Cisco IOS ACL that was used in Example 6 is merged with a VACL with Layer 4 port information. Following the guidelines in the "Using the Implicit Deny Action" section, the merge results are good.
******** VACL  *********
1 permit tcp host 193.131.248.24 194.73.73.0 0.0.0.15 gt 1023
2 permit tcp host 158.43.128.8 194.72.6.224 0.0.0.7 gt 1023
3 permit udp any 194.72.6.224 0.0.0.7 eq time
4 permit udp any 194.73.73.0 0.0.0.15 eq time
5 permit udp 194.72.7.128 0.0.0.7 194.72.6.224 0.0.0.7 eq 1645
6 permit udp 194.72.7.128 0.0.0.7 194.73.73.0 0.0.0.15 eq 1645
7 permit udp host 158.152.1.65 194.72.6.224 0.0.0.7 gt 1023
8 permit udp host 158.152.1.65 194.73.73.0 0.0.0.15 gt 1023
[...] total 168 entries
******** IOS ACL *********
1 permit ip 147.150.213.64 0.0.0.31 194.72.6.64 0.0.0.15
2 permit ip 147.150.213.64 0.0.0.31 194.72.6.160 0.0.0.15
3 permit ip 147.150.213.64 0.0.0.31 host 194.72.6.205
4 permit ip 147.151.77.0 0.0.0.255 194.72.6.64 0.0.0.15
5 permit ip 147.151.77.0 0.0.0.255 194.72.6.160 0.0.0.15
6 permit ip 147.151.77.0 0.0.0.255 194.72.6.208 0.0.0.15
7 permit ip 147.151.77.0 0.0.0.255 host 194.72.6.205
8 permit ip host 193.37.169.121 194.72.6.64 0.0.0.15
[...] total 62 entries without L4 information
******* MERGE ********
has 1259 ACEs.
Guidelines for Using Layer 4 Operations

Follow these guidelines for configurations where you need to specify Layer 4 port operations.

These sections provide guidelines for specifying Layer 4 port operations:

•Determining Layer 4 Operation Usage

•Determining Logical Operation Unit Usage

Determining Layer 4 Operation Usage

The switch hardware allows you to specify these types of operations:

•gt (greater than)

•lt (less than)

•neq (not equal)

•eq (equal)

•range (inclusive range)

We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.

Note If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total number of Layer 4 operations is still nine or less.

Use the following two guidelines to determine Layer 4 operation usage:

1. Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are four different Layer 4 operations ("gt 10" and "gt 11" are considered two different Layer 4 operations):
... gt 10 permit
... lt 9 deny
... gt 11 deny
... neq 6 redirect
Note There is no limit to the use of "eq" operators as the "eq" operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the "Determining Logical Operation Unit Usage" section for a description of LOUs.

2. Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ...
... Dst gt 10
Note Check the ACL Layer 4 port operations resource usage using the show security acl resource-usage command.

Determining Logical Operation Unit Usage

LOUs are registers that store operator/operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator/operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows:

•gt uses 1/2 LOU

•lt uses 1/2 LOU

•neq uses 1/2 LOU

•range uses 1 LOU

•eq does not require a LOU

For example, this ACL would use a single LOU to store two different operator/operand couples:
... Src gt 10 ...
... Dst gt 10
A more detailed example follows:
ACL1
... (dst port) gt 10 permit
... (dst port) lt 9 deny
... (dst port) gt 11 deny
... (dst port) neq 6 redirect
... (src port) neq 6 redirect
... (dst port) gt 10 deny
ACL2
... (dst port) gt 20 deny
... (src port) lt 9 deny
... (src port) range 11 13 permit
... (dst port) neq 6 redirect
The Layer 4 operations and LOU usage is as follows:

•ACL1 Layer 4 operations: 5

•ACL2 Layer 4 operations: 4

•LOUs: 4

An explanation of the LOU usage follows:

•LOU 1 stores "gt 10" and "lt 9"

•LOU 2 stores "gt 11" and "neq 6"

•LOU 3 stores "gt 20" (with space for one more)

•LOU 4 stores "range 11 13" (range needs the entire LOU)

Using VACLs in your Network

This section describes some typical uses for VACLs and includes the following:

•Wiring Closet Configuration

•Redirecting Broadcast Traffic to a Specific Server Port

•Restricting the DHCP Response for a Specific Server

•Denying Access to a Server on Another VLAN

•Restricting ARP Traffic

•Configuring ACLs on Private VLANs

•Capturing Traffic Flows

Wiring Closet Configuration

In a wiring closet configuration, Catalyst 6000 family switches might not be equipped with MSFCs (routers). In this configuration, the switch can still support a VACL and a QoS ACL. Suppose Host X and Host Y are in different VLANs and are connected to wiring closet Switch A and Switch C (see Figure 16-4). Traffic from Host X to Host Y is eventually being routed by the switch equipped with the MSFC. Traffic from Host X to Host Y can be access controlled at the traffic entry point, Switch A.

If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VACL on Switch A. All HTTP traffic from Host X to Host Y would be dropped at Switch A and not be bridged to the switch with the MSFC.

Figure 16-4 Wiring Closet Configuration

Redirecting Broadcast Traffic to a Specific Server Port

Some application traffic uses broadcast packets that reach every host in a VLAN. With VACLs, you can redirect these broadcast packets to the intended application server port.

Figure 16-5 shows an application broadcast packet from Host A being redirected to the target application server port and preventing other ports from receiving the packet.

To redirect broadcast traffic to a specific server port, perform this task in privileged mode (TCP port 5000 is the intended server application port):

Task

Command

Step 1

Redirect the broadcast packets.

set security acl ip SERVER redirect 4/1 tcp any host 255.255.255.255 eq 5000

Step 2

Permit all other traffic.

set security acl ip SERVER permit ip any any

Step 3

Commit the VACL.

commit security acl SERVER

Step 4

Map the VACL to VLAN 10.

set security acl map SERVER 10

Note You could apply the same concept to direct broadcast traffic to a multicast destination by redirecting the traffic to a group of ports (see Figure 16-5).

Figure 16-5 Redirecting Broadcast Traffic to a Specific Server Port

Restricting the DHCP Response for a Specific Server

When Dynamic Host Configuration Protocol (DHCP) requests are broadcast, they reach every DHCP server in the VLAN and multiple responses are returned. With VACLs, you can restrict the response from a specific DHCP server and drop the other responses.

To restrict DHCP responses for a specific server, perform this task in privileged mode (the target DHCP server IP address is 1.2.3.4):

Task

Command

Step 1

Permit a DHCP response from host 1.2.3.4.

set security acl ip SERVER permit udp host 1.2.3.4 any eq 68

Step 2

Deny DHCP responses from any other host.

set security acl ip SERVER deny udp any any eq 68

Step 3

Permit other IP traffic.

set security acl ip SERVER permit any

Step 4

Commit the VACL.

commit security acl SERVER

Step 5

Map the VACL to VLAN 10.

set security acl map SERVER 10

Figure 16-6 shows that only the target server returns a DHCP response from the DHCP request.

Figure 16-6 Redirect DHCP Response for a Specific Server

Denying Access to a Server on Another VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 16-7):

•Hosts in subnet 10.1.2.0/24 in VLAN 20 should not have access.

•Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.

To deny access to a server on another VLAN, perform this task in privileged mode:

Task

Command

Step 1

Deny traffic from hosts in subnet 10.1.2.0/8.

set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.1.100

Step 2

Deny traffic from host 10.1.1.4.

set security acl ip SERVER deny ip host 10.1.1.4 host 10.1.1.100

Step 3

Deny traffic from host 10.1.1.8.

set security acl ip SERVER deny ip host 10.1.1.8 host 10.1.1.100

Step 4

Permit other IP traffic.

set security acl ip SERVER permit ip any any

Step 5

Commit the VACL.

commit security acl SERVER

Step 6

Map the VACL to VLAN 10.

set security acl map SERVER 10

Figure 16-7 Deny Access to a Server on Another VLAN

Restricting ARP Traffic

Note This feature is only available with Supervisor Engine 2 with PFC2.

ARP traffic is permitted on each VLAN by default. You can disallow ARP traffic on a per VLAN basis using the set security acl ip acl_name deny arp command. When you enter this command, ARP traffic is disallowed on the VLAN that the ACL is mapped to. To allow ARP traffic on a VLAN that has had ARP traffic disallowed, enter the set security acl ip acl_name permit arp command.

Configuring ACLs on Private VLANs

Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:

•You can map VACLs to secondary VLANs or primary VLANs.

•Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary VLANs.

•You cannot map Cisco IOS ACLs to secondary VLANs.

•You cannot map dynamic ACEs to a private VLAN.

•You can map QoS ACLs to secondary VLANs or primary VLANs.

If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map a VACL to a secondary VLAN, it filters the traffic from the host to the router.

Note With software releases 6.2(1) and later, you can use two-way community VLANs to perform an inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary of a private VLAN through a promiscuous port. Both outbound and inbound traffic can be carried on the same VLAN allowing VLAN-based VACLs to be applied in both directions on a per-community (per customer) basis.

Note For additional information on private VLANS, see the "Configuring Private VLANs" section on page 11-13.

Capturing Traffic Flows

See the "Capturing Traffic Flows on Specified Ports" section for complete configuration details.

Unsupported Features

This section lists ACL-related features that are not supported or have limited support on the Catalyst 6000 family switches.

•Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software and this significantly degrades system performance:

–Bridge-group ACLs

–IP accounting

–Inbound and outbound rate limiting

–Standard IPX with source node number

–IPX extended access lists that specify a source node number or socket numbers are not enforced in the hardware

–Standard XNS access list

–Extended XNS access list

–DECnet access list

–Extended MAC address access list

–Protocol type-code access list

•IP packets with a header length of less than five will not be access controlled.

•Non full-flow IPX VACL—IPX VACL is based on a flow specified by a source/destination network number, packet type, and destination node number only. The source node number and socket number are not supported when specifying the IPX flow.

Configuring VACLs

This section describes how to configure VACLs. Prior to performing any configuration tasks, see the "VACL Configuration Guidelines" section.

These sections provide guidelines and a summary for configuring VACLs:

•VACL Configuration Guidelines

•VACL Configuration Summary

VACL Configuration Guidelines

Follow these guidelines when configuring VACLs:

Caution All changes to ACLs are stored temporarily in an edit buffer. You must enter the commit command to commit all ACEs to NVRAM. Committed ACLs with no ACEs are deleted. We recommend that you enter ACEs in batches and enter the commit command to save all of them to NVRAM.

Note You can configure Cisco IOS ACLs and VACLs from Flash memory instead of NVRAM. See the "Configuring and Storing VACLs and QoS ACLs in Flash Memory" section for detailed information.

•See the "Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface" section.

•See the "Using VACLs in your Network" section for configuration examples.

•See the "Unsupported Features" section.

•Note that a VACL has to be committed before you can map it to a VLAN. There are no default VACLs and no default VACL-to-VLAN mappings.

•Note that if there is no Cisco IOS ACL configured to deny traffic on a routed VLAN interface (input or output), and no VACL configured, all traffic is permitted.

•Note that the order of ACEs in an ACL is important. A packet that comes into the switch is applied against the first ACE in the ACL. If there is no match, the packet is applied against the next ACE in the list. If no ACEs match, the packet is denied (dropped).

•Always enter the show security acl info acl_name editbuffer command to see the current list of ACEs before making any changes to the edit buffer.

•Note that in systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs.

•Note that the system might incorrectly calculate the maximum number of ACLs in the system if an ACL is deleted but not committed.

•Note that the show security acl resource-usage and show qos acl resource-usage commands might not show 100 percent usage even if there is no space in the hardware to store more ACLs. This situation occurs because some ACL space is reserved in hardware for the ACL manager to perform cleanup and mapping if necessary.

•Note that the system might take longer to boot if you configure a very large number of ACLs.

•Follow these guidelines for using the redirect option:

–Note that redirected packets can only go out a port that supports the VLAN that the traffic is in.

–Note that the redirect option only involves taking packets and sending them out the redirect port; there is no routing involved.

–Note that if packets are coming in from many VLANs, the redirect port should have those VLANs in forwarding state. You might have to configure the redirect port as a trunk to allow multiple VLANs to go out of the port.

–Put caches in promiscuous mode so they can receive traffic that is not routed.

–Use the redirect option to do some basic VLAN-based load balancing by redirecting traffic to multiple ports. Each port transmits only those packets that belong to the VLANs that are forwarding on the port.

VACL Configuration Summary

To create a VACL and map it to a VLAN, perform these steps:

Step 1 Enter the set security acl ip command to create a VACL and add ACEs.

Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.

Step 3 Enter the set security acl map command to map the VACL to a VLAN.

Note An IP VACL is used in this description; you can configure IPX and non-IP version 4/non-IPX VACLs using the same basic steps.

Note VACLs have an implicit deny feature at the end of the list; a packet is denied if it does not match any VACL ACE.

Configuring VACLs From the CLI

This section describes how to create and activate VACLs on the Catalyst 6000 family switches. These tasks are listed in the order that they should be performed.

This section describes the following tasks:

•Creating an IP VACL and Adding ACEs

•Creating an IPX VACL and Adding ACEs

•Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

•Committing ACLs

•Mapping a VACL to a VLAN

•Showing the Contents of a VACL

•Showing VACL-to-VLAN Mapping

•Clearing the Edit Buffer

•Removing ACEs from Security ACLs

•Clearing the Security ACL Map

•Displaying VACL Management Information

•Capturing Traffic Flows on Specified Ports

•Configuring VACL Logging

Creating an IP VACL and Adding ACEs

To create a new IP VACL and add ACEs, or to add ACEs to an existing IP VACL, perform these tasks in privileged mode:

Task

Command

•If an IP protocol specification is not required, use the following syntax.

•If an IP protocol is specified, use the following syntax.

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [capture]
[before editbuffer_index | modify editbuffer_index] [log¹]

set security acl ip {acl_name} {permit | deny | redirect mod_num/
port_num} {protocol} {src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture] [before editbuffer_index | modify editbuffer_index] [log1]

¹The log keyword provides logging messages for denied IP VACLs only.

This example shows how to create an ACE for IPACL1 to allow traffic from source address 172.20.53.4:
Console> (enable) set security acl ip IPACL1 permit host 172.20.53.4 0.0.0.0
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable) 
Note The example shows that because VACLs have an implicit deny feature at the end of the list, all other traffic is denied.

This example shows how to create an ACE for IPACL1 to allow traffic from all source addresses:
Console> (enable) set security acl ip IPACL1 permit any
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable) 
This example shows how to create an ACE for IPACL1 to block traffic from source address 171.3.8.2:
Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2
IPACL1 editbuffer modified.  Use `commit' command to apply changes.
Console> (enable) 
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPACL1 editbuffer
set security acl ip IPACL1
-----------------------------------------------------------------
1. permit ip host 172.20.53.4 any
2. permit ip any any
3. deny ip host 171.3.8.2 any
Console> (enable) 
This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL1 is committed to hardware.
Console> (enable) 
Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info IPACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

This example shows how to create an ACE for IPACL2 to block traffic from source address 172.20.3.2 and place this ACE before ACE number 2 in the VACL. Optionally, you can use the modify keyword to replace an existing ACE with a new ACE. Enter the show security acl info acl_name [editbuffer] command to see the current ACE listing stored in NVRAM (enter the editbuffer keyword to see edit buffer contents).
Console> (enable) set security acl ip IPACL2 deny host 172.20.3.2 before 2 
IPACL2 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source address 1.2.3.4 with the destination address of 255.255.255.255. Note that host can be used as an abbreviation for a source and source-wildcard of 0.0.0.0. This ACE also specifies the following:

•precedence—IP precedence values that range between zero for low priority and seven for high priority.

•tos—Type of service levels that range between 0 and 15.

Note The ToS is bits 3 through 6 of the IP ToS byte as defined by RFC-1349. The precedence is bits 0 through 2 as defined by RFC-791.
Console> (enable) set security acl ip IPACL2 redirect 3/1 ip 1.2.3.4 0.0.0.255 host 
255.255.255.255 precedence 1 tos min-delay
IPACL2 editbuffer modified. Use `commit' command to apply changes.
Console> (enable) 
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPACL2 editbuffer
set security acl ip IPACL2
-----------------------------------------------------------------
1. deny 172.20.3.2
2. redirect 1.2.3.4
Console> (enable) 
Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL2 is committed to hardware.
Console> (enable) 
Note For more information about the commit security acl all command see the "Committing ACLs" section.

Enter the show security acl info IPACL2 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Creating an IPX VACL and Adding ACEs

To create a new IPX VACL and add ACEs, or to add ACEs to an existing IPX VACL, perform this task in privileged mode:

Task

Command

Create a new IPX VACL and add ACEs, or add ACEs to an existing IPX VACL.

set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol} {src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]] [capture] [before editbuffer_index modify editbuffer_index]

This example shows how to create an ACE for IPXACL1 to block all traffic from source network 1234:
Console> (enable) set security acl ipx IPXACL1 deny any 1234
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPXACL1 to block all traffic with destination address 1.A.3.4:
Console> (enable) set security acl ipx IPXACL1 deny any any 1.A.3.4
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPXACL1 to redirect broadcast traffic to port 4/1 from source network 3456:
Console> (enable) set security acl ipx IPXACL1 redirect 4/1 any 3456
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPXACL1 editbuffer
set security acl ipx IPXACL1
-----------------------------------------------------------------
1. deny any 1234
2. deny any any 1.A.3.4
3. redirect 4/1 any 3456
Console> (enable) 
Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPXACL1 is committed to hardware.
Console> (enable) 
Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
This example shows how to create an ACE for IPXACL1 to allow all traffic from source network 1 and insert this ACE before ACE number 2:
Console> (enable) set security acl ipx IPXACL1 permit any 1 before 2
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPXACL1 to allow traffic from all source addresses:
Console> (enable) set security acl ipx IPXACL1 permit any any
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPXACL1 editbuffer
set security acl ipx IPXACL1
-----------------------------------------------------------------
1. deny any 1234
2. permit any 1
3. deny any any 1.A.3.4
4. redirect 4/1 any 3456
5. permit any any
ACL IPXACL1 Status: Not Committed
Console> (enable) 
This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPXACL1 is committed to hardware.
Console> (enable) 
Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

To create a new non-IP version 4/non-IPX VACL and add ACEs, or to add ACEs to an existing non-IP version 4/non-IPX VACL, perform this task in privileged mode:

Task

Command

Create a new non-IP
version 4/non-IPX VACL and add ACEs, or add ACEs to an existing non-IP version 4/non-IPX VACL.

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]

This example shows how to create an ACE for MACACL1 to block all traffic from 8-2-3-4-7-A:
Console> (enable) set security acl mac MACACL1 deny host 8-2-3-4-7-A any
MACACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for MACACL1 to block all traffic to A-B-C-D-1-2:
Console> (enable) set security acl mac MACACL1 deny any host A-B-C-D-1-2
MACACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to create an ACE for MACACL1 to allow traffic from all sources:
Console> (enable) set security acl mac MACACL1 permit any any
MACACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info MACACL1 editbuffer
set security acl mac MACACL1
-----------------------------------------------------------------
1. deny 8-2-3-4-7-A any
2. deny any A-B-C-D-1-2
3. permit any any
Console> (enable) 
Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL MACACL1 is committed to hardware.
Console> (enable) 
Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info MACACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Committing ACLs

You can commit all ACLs or a specific ACL to NVRAM with the commit command. Any committed ACL with no ACEs will be deleted.

To commit an ACL to NVRAM, perform this task in privileged mode:

Task

Command

Commit an ACL to NVRAM.

commit security acl acl_name | all

This example shows how to commit a specific security ACL to NVRAM:
Console> (enable) commit security acl IPACL2
ACL commit in progress.
ACL IPACL2 is committed to hardware.
Console> (enable) 
Mapping a VACL to a VLAN

You can map a VACL to a VLAN with the set security acl map command. Note that there is no default ACL-to-VLAN mapping; all VACLs need to be mapped to a VLAN.

To map a VACL to a VLAN, perform this task in privileged mode:

Task

Command

Map a VACL to a VLAN.

set security acl map acl_name vlans

This example shows how to map IPACL1 to VLAN 10:
Console> (enable) set security acl map IPACL1 10
ACL IPACL1 mapped to vlan 10
Console> (enable)
This example shows the output if you try to map an ACL that has not been committed:
Console> (enable) set security acl map IPACL1 10
Commit ACL IPACL1 before mapping.
Console> (enable)
Showing the Contents of a VACL

You can display the contents of a VACL with the show security acl info command.

To show the contents of a VACL, perform this task in privileged mode:

Task

Command

Show the contents of a VACL.

show security acl info {acl_name | all} [editbuffer [editbuffer_index]]

This example shows how to show the contents of a VACL that has been saved in NVRAM:
Console> (enable) show security acl info IPACL1 
set security acl ip IPACL1
------------------------------------------------------------------
1. deny A
2. deny ip B any
3. deny c
4. permit any
This example shows how to show the contents of a VACL that is still in the edit buffer:
Console> (enable) show security acl info IPACL1 editbuffer
set security acl ip IPACL1
-----------------------------------------------------------------
1. deny A
2. deny ip B any
3. deny C
4. deny D
5. permit any
Console> (enable) 
Showing VACL-to-VLAN Mapping

You can display VACL-to-VLAN mapping for a specified ACL or VLAN with the show security acl map command.

To show VACL-to-VLAN mapping, perform this task in privileged mode:

Task

Command

Show VACL-to-VLAN mapping.

show security acl map {acl_name | vlan | all}

This example shows how to show the mappings of a specific VACL:
Console> (enable) show security acl map IPACL1
ACL IPACL1 is mapped to VLANs:
1
Console> (enable)
This example shows how to show the mappings of a specific VLAN:
Console> (enable) show security acl map 1
VLAN 1 is mapped to IP ACL IPACL1.
VLAN 1 is mapped to IPX ACL IPXACL1.
VLAN 1 is mapped to MAC ACL MACACL1.
Console> (enable)
Clearing the Edit Buffer

You can clear changes made to the ACL edit buffer since its last save with the rollback command. The ACL is rolled back to its state at the last commit command.

To clear the ACL edit buffer, perform this task in privileged mode:

Task

Command

Clear the ACL edit buffer.

rollback security acl {acl_name | all | adjacency}

This example shows how to clear the edit buffer of a specific security ACL:
Console> (enable) rollback security acl IPACL1
Editbuffer for `IPACL1' rolled back to last commit state.
Console> (enable) 
Removing ACEs from Security ACLs

You can remove a specific ACE or all ACEs from an ACL with the clear security acl command. This command deletes the ACEs from the edit buffer.

To remove an ACE from a security ACL, perform this task in privileged mode:

Task

Command

Remove an ACE from a security ACL.

clear security acl all
clear security acl acl_name
clear security acl acl_name editbuffer_index

This example shows how to remove ACEs from all the ACLs:
Console> (enable) clear security acl all
All editbuffers modified. Use `commit' command to apply changes.
Console> (enable)
This example shows how to remove a specific ACE from a specific ACL:
Console> (enable) clear security acl IPACL1 2
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
Clearing the Security ACL Map

You can remove a VACL-to-VLAN mapping with the clear security acl map command.

To clear the security ACL map, perform this task in privileged mode:

Task

Command

Clear the security ACL map.

clear security acl map all
clear security acl map acl_name
clear security acl map vlan
clear security acl map acl_name vlan

This example shows how to clear all VACL-to-VLAN mappings:
Console> (enable) clear security acl map all
Map deletion in progress.
Successfully cleared mapping between ACL ip1 and VLAN 10.
Successfully cleared mapping between ACL ipx1 and VLAN 10.
.... display text omitted
Console> (enable)
This example shows how to clear the mapping for a specific VACL on a specific VLAN:
Console> (enable) clear security acl map IPACL1 50
Map deletion in progress.
Successfully cleared mapping between ACL ipacl1 and VLAN 50.
Console> (enable)
Displaying VACL Management Information

You can display VACL management information with the show security acl resource-usage command.

To display VACL management information, perform this task in privileged mode:

Task

Command

Display VACL management information.

show security acl resource-usage

This example shows how to display VACL management information:
Console> (enable) show security acl resource-usage
ACL resource usage:
ACL storage (mask/value): 0.29%/0.10%
ACL to switch interface mapping table: 0.39%
ACL layer 4 port operators: 0.0%
Console (enable) 
Capturing Traffic Flows on Specified Ports

You can use the capture option in the set security acl (ip, ipx, and mac) commands to specify that packets that match the specified flows are captured and transmitted out of capture ports. You can specify capture ports using the set security acl capture-ports mod/ports... command. When you use the capture option, the packets that match the specified flows are captured in parallel and transmitted out of the capture ports. Capture ports do not send out all the captured traffic; they send out only the traffic belonging to the VLANs of the captured port.

Configuration Guidelines

Follow these guidelines when configuring capture ports:

•The capture port cannot be part of an EtherChannel.

•The capture port cannot be an ATM port.

•The capture port must be in the spanning tree forwarding state for the VLAN.

•You can specify any number of switch ports as capture ports. Capture ports are added to a capture port list and the configuration is saved in NVRAM.

•Only permit traffic is captured. If a packet is dropped due to an ACL, the packet cannot be captured.

•Capture ports do not transmit out all captured traffic. They transmit only traffic belonging to the capture port VLAN. To capture traffic going to many VLANs, the capture port should be a trunk carrying the required VLANs.

For routed traffic, capture ports transmit packets only after they are Layer 3 switched; packets are transmitted out of a port only if the output VLAN of the Layer 3 switched flow is the same as the capture port VLAN. For example, assume you have flows from VLAN 10 to VLAN 20 and you add a VACL (on one of the VLANs) permitting these flows and you specify a capture port. This traffic gets transmitted out of the capture port only if it belongs to VLAN 20 or if the port is a trunk carrying VLAN 20. If the capture port is in VLAN 10, it does not transmit any traffic. Whether a capture port transmits the traffic or not is independent of the VLAN on which you placed the VACL.

If you want to capture traffic from one VLAN going to many VLANs, the capture port has to be a trunk carrying all output VLANs.

For bridged traffic, because all the traffic remains in the same VLAN, ensure that the capture port is in the same VLAN as the bridged traffic.

•To capture traffic, you can configure one ACL and map it to a group of VLANs or you can configure a number of ACLs and map each to one VLAN. Configure as many ACEs per ACL as necessary to capture the desired traffic.

To capture traffic flows, perform these steps:

Note An IP VACL is used in this description; you can configure IPX and non-IP version 4/non-IPX VACLs using the same basic steps.

Step 1 Enter the set security acl ip command to create a VACL and add ACEs; include the capture option.

Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.

Step 3 Enter the set security acl map command to map the VACL to a VLAN.

Step 4 Enter the set security acl capture-ports mod/ports... command to specify capture ports.

Configuration Examples

This example shows how to create an ACE for my_cap and specify that the allowed traffic be captured:
Console> (enable) set security acl ip my_cap permit ip host 60.1.1.1 host 60.1.1.98 
capture 
my_cap editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)
This example shows how to commit the my_cap ACL to NVRAM:
Console> (enable) commit security acl my_cap
ACL commit in progress.
ACL my_cap successfully committed.
Console> (enable)
This example shows how to map my_cap to VLAN 10:
Console> (enable) set security acl map my_cap 10
Mapping in progress.
VLAN 10 successfully mapped to ACL my_cap.
The old mapping with ACL captest was replaced with the new one.
Console> (enable)
This example shows how to specify capture ports:
Console> (enable) set security acl capture-ports 1/1-2,2/1-2
Successfully set the following ports to capture ACL traffic:
1/1-2,2/1-2
Console> (enable)
This example shows how to display ports that have been specified as capture ports:
Console> (enable) show security acl capture-ports 
ACL Capture Ports: 1/1-2,2/1-2
Console> (enable)
This example shows how to clear capture ports:
Console> (enable) clear security acl capture-ports 1/1,2/1
Successfully cleared the following ports:
1/1,2/1
Console> (enable)
This example shows that ports 1/1 and 2/1 were cleared:
Console> (enable) show security acl capture-ports 
ACL Capture Ports:1/2,2/2
Console> (enable)
Configuring VACL Logging

Note This feature is only available with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).

You can log messages about denied packets for the standard IP access list by entering the log keyword for deny VACLs. That is, any packet that matches the access list will cause an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the set logging level acl severity command.

The first packet that triggers the access list causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the flow pattern and number of packets received in the prior 5-minute interval.

By default, system logging messages are sent to the console. You can configure the switch to send system logging messages to a syslog server. For information on configuring system message logging, see Chapter 27, "Configuring System Message Logging."

Configuration Guidelines

Follow these guidelines when configuring VACL logging:

•Log only deny traffic from IP VACLs.

•You must set the logging level to 6 (information) or 7 (debugging).

To enable VACL logging, perform these steps:

Step 1 Enter the set logging level acl severity command to set the logging level to 6 (information) or 7 (debugging).

Step 2 (Optional) Enter the set security acl log maxflow max_number to allocate a new log table based on the maximum flow pattern number to store logged packet information. If successful, the new buffer replaces the old one and all flows in the old table are cleared. If either memory is not enough or the maximum number is over the limit, an error message is displayed and the command is dropped. Valid values are from 256 to 2048; the default value is 500.

Note If the maximum flow pattern is over the max_num limit, an error message is displayed and the command is dropped. Messages are not logged for these packets.

Step 3 (Optional) Enter the set security acl log ratelimit pps to set the redirect rate in pps (packet per second). If the configuration is over the range, the command is discarded and the range is displayed on the console. Valid values are from 500 to 5000; the default value is 2500.

Note If the redirect rate is over the pps range, the command is dropped and the range is displayed on the console. Messages are not logged for these packets.

Step 4 Enter the set security acl ip acl_name deny log command to create an IP VACL and enable logging.

Step 5 Enter the commit security acl acl_name command to commit the VACL to NVRAM.

Step 6 Enter the set security acl map acl_name vlan command to map the VACL to a VLAN.

Configuration Examples

This example shows how to set the logging level:
Console> (enable) set logging level acl 6
System logging facility <acl> for this session set to severity 6(information)
This example shows how to allocate a new log table based on the maximum flow:
Console> (enable) set security acl log maxflow 512
Set VACL Log table to 512 flow patterns.
This example shows how to set the redirect rate:
Console> (enable) set security acl log ratelimit 1000
Set Redirect Rate to 1000 pps.
This example shows how to display the VACL log configuration:
Console> (enable) show security acl log config
VACL LOG Configration
-------------------------------------------------------------
Max Flow Pattern    : 512
Redirect Rate (pps) : 1000
This example shows how to create an ACE for my_cap and specify that denied traffic be logged:
Console> (enable) set security acl ip my_cap deny ip host 21.0.0.1 log 
my_cap editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)
This example shows how to commit the my_cap ACL to NVRAM:
Console> (enable) commit security acl my_cap
ACL commit in progress.
ACL my_cap successfully committed.
Console> (enable)
This example shows how to map the VACL to a VLAN:
Console> (enable) set security acl map my_cap 1
Mapping in progress.
ACL my_cap successfully mapped to VLAN 1.
:
:
2000 Jul 19 01:14:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 1 packet
2000 Jul 19 01:19:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 7 packets
2000 Jul 19 01:25:06 %ACL-6-VACLLOG:VLAN 1(Port 2/2) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 1 packets
This example shows how to display the flow information in the log table:
Console> (enable) show security acl log flow ip any any
Total matched entry number = 1
Entry No. #1, IP Packet
----------------------------------------
Vlan Number            : 1
Mod/Port Number        : 2/1
Source IP address      : 21.0.0.1
Destination IP address : 255.255.255.255
TCP Source port        : 2000
TCP Destination port   : 3000
Received Packet Number : 10
This example shows how to clear the log table:
Console> (enable) clear security acl log flow
Log table is cleared.
Console> (enable)
Configuring and Storing VACLs and QoS ACLs in Flash Memory

This section describes how to configure and store VACLs and QoS ACLs in Flash memory instead of NVRAM. Prior to this feature, all configuration information was stored in NVRAM. With the addition of QoS and security ACLs (VACLs), NVRAM could become full. In addition to limiting ACL configuration, filling up NVRAM can cause problems when you attempt to upgrade from one software version to another.

Note In most cases, the 512-KB NVRAM is sufficient for storing VACLs and QoS ACLs; therefore, all ACL configurations are stored in NVRAM by default.

This section describes the following tasks:

•Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

•Manually Moving the VACL and QoS ACL Configuration to Flash Memory

•Running with the VACL and QoS ACL Configuration in Flash Memory

•Moving the VACL and QoS ACL Configuration Back to NVRAM

•Redundancy Synchronization Support

•Interacting with High Availability

Note See Chapter 23, "Modifying the Switch Boot Configuration," for additional information on using the commands described in this section.

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

Moving the VACL and QoS ACL configuration to Flash memory is done automatically only during system software upgrades and then only if there is not sufficient NVRAM for the upgrade. If there is not enough NVRAM to perform a software upgrade, the QoS ACL and VACL configuration is deleted from NVRAM and the ACL configuration is automatically moved to Flash memory. When this occurs, these syslog messages display:
1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH:ACL configuration moved to bootflash:switchapp.cfg
1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration 
deleted from NVRAM.
The VACL and QoS ACL configuration has now been successfully moved to Flash memory. During this process, the system also does the following:

•Sets the CONFIG_FILE variable to bootflash:switchapp.cfg

•Enables the set boot config-register auto-config command recurring, append, and sync options

If an error occurs during the upgrade, these syslog messages display:
1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH_ERR:Failed to write ACL configuration to 
bootflash:switchapp.cfg
1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration 
deleted from NVRAM.
If you receive these error messages, the VACL and QoS ACL configuration is stored in DRAM only. You need to make more space available in Flash memory and then save the configuration to Flash memory (as described in the "Moving the VACL and QoS ACL Configuration Back to NVRAM" section). Alternatively, you might try to delete unneeded VACLs and QoS ACLs and save the ACL configuration to NVRAM using the set config acl nvram command.

Manually Moving the VACL and QoS ACL Configuration to Flash Memory

If your VACL and QoS ACL configuration requirements require more memory than the 512-KB NVRAM, you can manually move the VACL and QoS ACL configuration to Flash memory as follows:

Step 1 Specify the VACL and QoS ACL auto-config file to use to configure the switch at startup.
Console> (enable) set boot auto-config bootflash:switchapp.cfg
CONFIG_FILE variable = bootflash:switchapp.cfg
Console> (enable)
Step 2 Specify if the switch should retain (recurring keyword) or clear (non-recurring keyword) the contents of the CONFIG_FILE environment variable after a reset or power cycle.
Console> (enable) set boot config-register auto-config recurring 
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, overwrite, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)
Step 3 Specify if the auto-config file should be used to overwrite the NVRAM configuration or be appended to what is currently in NVRAM.
Console> (enable) set boot config-register auto-config append
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync disabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)
Step 4 Specify if synchronization should be enabled or disabled. With synchronization enabled, the auto-config file(s) synchronize automatically to the standby supervisor engine.
Console> (enable) set boot config-register auto-config sync enable
Configuration register is 0x12F
ignore-config: disabled
auto-config: recurring, append, sync enabled
console baud: 9600
boot: image specified by the boot system commands
Console> (enable)
Step 5 Save committed VACL and QoS ACL configuration changes to the auto-config file.
Console> (enable) copy acl-config bootflash:switchapp.cfg
Upload ACL configuration to bootflash:switchapp.cfg
2843644 bytes available on device bootflash, proceed (y/n) [n]? y
ACL configuration has been copied successfully.
Console> (enable)
Step 6 Delete the VACL and QoS ACL configuration from NVRAM.
Console> (enable) clear config acl nvram
ACL configuration has been deleted from NVRAM.
Warning: Use the copy commands to save the ACL configuration to a file and
the 'set boot config-register auto-config' commands to configure the
auto-config feature.
Note VACL and QoS ACL mapping commands (set qos acl map and set security acl map) are also stored in the auto-config file. If the VACL and QoS ACL configuration is in Flash memory and you use the mapping commands, you need to enter the copy command to save the configuration to Flash memory.

At this point, the VACL and QoS ACL configuration is no longer in NVRAM, it is saved in the auto-config file bootflash:switchapp.cfg and will be appended to the NVRAM configuration at system startup.

After making any additional changes to the VACL and QoS ACL configuration and committing those changes, you must enter the copy acl-config bootflash:switchapp.cfg command to save the configuration to the auto-config file.

The auto-config file is synchronized automatically to the standby supervisor engine because synchronization was enabled.

If you cannot write the VACL and QoS ACL configuration to Flash memory, it is removed from NVRAM. At this point, the VACL and QoS ACL configuration exists in DRAM only. A system reset for any reason can cause the VACL and QoS ACL configuration to revert to the default.

Note If you cannot write the configuration to Flash memory, you must copy the configuration to a file, make additional room available in Flash memory, and then try to write the VACL and QoS ACL configuration to Flash memory.

At system startup, if the VACL and QoS ACL configuration location is set to Flash memory but either the CONFIG_FILE variable is not set or none of the files specified exist, the following syslog message displays:
1999 Sep 01 17:00:00 %SYS-0-CFG_FLASH_ERR:ACL configuration set to flash but no ACL 
configuration file found.
Running with the VACL and QoS ACL Configuration in Flash Memory

After you move the VACL and QoS ACL configuration to Flash memory, QoS ACLs and VACL commit operations are no longer written to NVRAM. You have to copy the configuration to the Flash file manually as follows:

•If you use the set boot config-register auto-config append option, the configuration from the auto-config file is appended to the NVRAM configuration. You then only have to copy the VACL and QoS ACL configuration to this file after commit operations.

•If you do not use the set boot config-register auto-config append option, the auto-config feature clears the configuration before executing the auto-config file at system startup. Any changes made in NVRAM are lost. You should always copy your entire configuration (not just the VACL and QoS ACL configuration) to the auto-config file when you want to save it.

Moving the VACL and QoS ACL Configuration Back to NVRAM

This example shows how to move the VACL and QoS ACL configuration back to NVRAM:
Console> (enable) set config acl nvram
ACL configuration copied to NVRAM.
Console> (enable)
Console> (enable) clear boot auto-config
CONFIG_FILE variable =
Console> (enable) 
Redundancy Synchronization Support

The set boot commands contain an option to synchronize the auto-config file automatically.

When you enable the auto-config option, if the VACL and QoS ACL configuration resides in Flash memory, the auto-config file on the active supervisor engine is automatically synchronized to the standby supervisor engine whenever a change is made; for example, deleting the auto-config file on the active supervisor engine causes the file to be deleted on the standby supervisor engine. Similarly, if you insert a new standby supervisor engine, the active supervisor engine automatically synchronizes the auto-config file.

Interacting with High Availability

After a supervisor engine switchover, the VACL and QoS ACL configuration on the standby supervisor engine is consistent with what was on the active supervisor engine, just as in the case where the VACL and QoS ACL configuration is saved in NVRAM. The only difference is that the data is stored in DRAM, but the functional behavior of a switchover does not change.

Configuring Policy-Based Forwarding

The policy-based forwarding (PBF) feature is an extension of VACL redirection supported by the Policy Feature Card 2 (PFC2). It can prove to be particularly beneficial in any flat Layer 2 network used for transparent bridging where a limited amount of inter-VLAN communication is required. This feature can also be used in server farms or DMZs where bridging devices like server load balancing appliances are involved, or where firewall load balancing is performed.

Note PBF does not support Internetwork Packet Exchange (IPX) and multicast traffic.

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

Note PBF may require some configuration on attached hosts. When a router is not present in the network, ARP table entries have to be statically added on each host participating in PBF.

PBF is described in these sections:

•Understanding How Policy-Based Forwarding Works

•Hardware and Software Requirements

•Configuring Policy-Based Forwarding

•Policy-Based Forwarding Configuration Example

Understanding How Policy-Based Forwarding Works

PBF configuration involves these steps:

•Enabling PBF and specifying a MAC address for the PFC2

•Configuring VACLs for PBF

•Configuring attached hosts for PBF

Note Because VACLs are applied to incoming and outgoing traffic, you must configure all VACLs carefully when using PBF. If the VACLs are not specific, a rewritten packet could hit a deny statement in the outgoing VACL and be dropped.

When a router is not present in the network, you need to specify static ARP entries on participating hosts.

Hardware and Software Requirements

PBF hardware and software requirements are as follows:

•PBF requires Supervisor Engine 2 with the Policy Feature Card 2 (PFC2) (WS-X6K-S2-PFC2).

•PBF is not supported with an operating (booted) Multilayer Switch Feature Card 2 (MSFC2) in the Catalyst 6000 family switch that is being used for PBF.

If you try to configure PBF with an MSFC2 present and booted, the system responds with a message indicating the feature is not supported with an MSFC2.

If an MSFC2 is present but has not booted, you can configure PBF.

•PBF requires supervisor engine software release 6.3(1) or later releases.

Configuring Policy-Based Forwarding

This section provides guidelines and configuration examples for PBF. The configuration examples use the example configuration shown in Figure 16-8. The Catalyst 6000 family switch redirects all the traffic coming from Host A on VLAN 10 to Host B on VLAN 11, and redirects traffic from Host B to Host A. This section contains the following example procedures:

•Enabling PBF and Specifying a MAC Address for the PFC2

•Configuring VACLs for PBF

•Displaying PBF Information

•Clearing Entries in PBF VACLs

•Rolling Back Adjacency Table Entries in the Edit Buffer

•Configuring Hosts for PBF

Figure 16-8 Policy-Based Forwarding

Enabling PBF and Specifying a MAC Address for the PFC2

Note The MAC address can be a default or user-specified MAC address. The default MAC address is taken from a MAC address PROM on the Catalyst 6000 family switch chassis. When specifying a MAC address using the set pbf mac command, ensure that the MAC address is unique and not already being used on any interfaces.

We recommend that you use the default MAC address provided by the MAC address PROM. When you specify your own MAC address using the set pbf mac command, if the MAC address is a duplicate of a MAC address already in use, packets might get dropped.

To display PBF status and MAC address, perform this task in privileged mode:

Task

Command

Display PBF status and MAC address.

show pbf

To enable PBF, perform one of these tasks in privileged mode:

Task

Command

Enable PBF with a default MAC address.

set pbf

Enable PBF with a specific MAC address.

set pbf [mac mac address]

This example shows how to check PBF status and MAC address, enable PBF with a default MAC address, and verify the change:
Console> (enable) show pbf
Pbf status    Mac address
-----------   ------------------
not set       00-00-00-00-00-00
Console> (enable)
Console> (enable) set pbf
PBF committed successfully.
Operation successful.
Console> (enable)
Console> (enable) show pbf
Pbf status    Mac address
-----------   ------------------
ok            00-01-64-61-39-c2
Console> (enable)
This example shows how to enable PBF with a specific MAC address:
Console> (enable) set pbf mac 00-11-11-11-11-11
PBF committed successfully.
Operation successful.
Console> (enable)
Console> (enable) show pbf
Pbf status    Mac address
-----------   ------------------
ok            00-11-11-11-11-11
Console> (enable) 
To disable PBF and clear the PBF MAC address, perform this task in privileged mode:

Task

Command

Disable PBF and clear the PBF MAC address.

clear pbf

This example shows how to clear the PBF MAC address:
Console> (enable) clear pbf
PBF cleared.
Console> (enable) 
Console> (enable) show pbf
Pbf status    Mac address
-----------   ------------------
not set       00-00-00-00-00-00
Console> (enable) 
Configuring VACLs for PBF

Note Enter the set security acl adjacency command to specify the rewrite information in the adjacency table that causes the packet header to be rewritten (destination VLAN and source and destination MAC addresses) and forwarded to the destination VLAN.

Note that the source MAC address is optional. If you do not specify the source MAC address, the system defaults to the PBF MAC address.

Note You can configure a maximum of 256 adjacency table entries for a VLAN. The maximum number of adjacency table entries is 1023.

Note To enable jumbo frame forwarding using PBF, enter the mtu keyword in the set security acl adjacency command.

1. Specify the adjacency table entry.

2. Specify the redirect ACE in the PBF VACL that is using the adjacency table entry.

3. Commit the adjacency table entry.

4. Commit the PBF VACL.

5. Map the PBF VACL to a single VLAN or multiple VLANs.

Note You can combine steps 3 and 4 by entering the commit security acl all command.

Note The same adjacency table entry can be used by more than one redirect ACE.

To specify an adjacency table entry for the PFC2, perform this task in privileged mode:

Task

Command

Specify an adjacency table entry for the PFC2.

set security acl adjacency adjacency_name dest_vlan dest_mac [[source_mac] | [source_mac mtu mtu_size] | [ mtu mtu_size]]

This example shows how to specify the adjacency table entry:
Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B 
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable)
This example shows how to create the PBF VACL for VLAN 10 (shown in Figure 16-8):
Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL1 redirect ADJ1 ip host 10.0.0.1 host 11.0.0.1
IPACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL1 permit any
IPACL1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Commit operation in progress.
Adjacency successfully committed.
Console> (enable) commit security acl IPACL1
ACL commit in progress.
ACL 'IPACL1' successfully committed. 
Console> (enable) set security acl map IPACL1 10
Mapping in progress.
ACL IPACL1 successfully mapped to VLAN 10.
Console> (enable)
Console> (enable) set security acl adjacency ADJ2 10 00-00-00-00-00-0A
ADJ2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL2 redirect ADJ2 ip host 11.0.0.1 host 10.0.0.1
IPACL2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) set security acl ip IPACL2 permit any
IPACL2 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Commit operation in progress.
Adjacency successfully committed.
Console> (enable) commit security acl IPACL2 
ACL commit in progress.
ACL 'IPACL2' successfully committed. 
Console> (enable) set security acl map IPACL2 11
Mapping in progress.
ACL IPACL2 successfully mapped to VLAN 11. 
Console> (enable)
Displaying PBF Information

This section describes how to display PBF-related information.

To display adjacency table entries, perform these tasks in normal mode:

Task

Command

Display adjacency table entries.

show security acl info [acl_name | adjacency | all] [editbuffer [editbuffer_index]]

Display PBF adjacency information for all adjacency table entries or a specific adjacency table entry.

show pbf adjacency [adj name]

Display PBF statistics for all adjacency table entries or a specific adjacency table entry.

show pbf statistics [adj name]

Display the adjacency-to-VACL mappings for all adjacency table entries or a specific adjacency table entry.

show pbf map [adj name]
Console> show security acl info adjacency
set security acl adjacency ADJ1
---------------------------------------------------
1. 11 00-00-00-00-00-0b
set security acl adjacency ADJ2
---------------------------------------------------
1. 10 00-00-00-00-00-0a 
Console> show pbf adjacency
Index    DstVlan   DstMac             SrcMac             Name
------------------------------------------------------------------
1        11      00-00-00-00-00-0a  00-00-00-00-00-0b     ADJ1
2        10      00-00-00-00-00-0a  00-00-00-00-00-0b     ADJ2
Console> show pbf statistics
Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name
-------------------------------------------------------------------------
1        11      00-00-00-00-00-0a  00-00-00-00-00-0b  0x00000000    ADJ1
2        10      00-00-00-00-00-0a  00-00-00-00-00-0b  0x00000000    ADJ2
Console> show pbf map
Adjacency            ACL
------------------  --------------------
ADJ1                IPACL1
ADJ2                IPACL2
Console> (enable)
Clearing Entries in PBF VACLs

The adjacency table entry cannot be cleared before the redirect ACE. You should clear the redirect ACE and the adjacency table entry in PBF VACLs in the following order:

1. Clear the redirect ACE.

2. Commit the PBF VACL.

3. Clear the adjacency table entry.

4. Commit the adjacency table entry.

To clear a PBF adjacency table entry, perform this task in privileged mode:

Task

Command

Clear a PBF adjacency table entry.

clear security acl adjacency adj name

This example shows how to clear a PBF adjacency table entry:
Console> (enable) clear security acl adjacency ADJ1
Adj is in use by a VACL, clear the VACL first then clear adj.
Console> (enable) clear security acl IPACL1
IPACL1 editbuffer modified. Use 'commit' command to save changes.
Console> (enable) commit security acl IPACL1
ACL commit in progress.
ACL 'IPACL1' successfully deleted.
Console> (enable) clear security acl adjacency ADJ1
ADJ1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl adjacency
Console> (enable) Adjacency committed successfully
Commit operation in progress.
Console> (enable) 
Rolling Back Adjacency Table Entries in the Edit Buffer

You can clear adjacency table entries in the edit buffer that were made prior to the last commit by using the rollback command. The adjacency table entries are rolled back to their state at the last commit.

To roll back the adjacency table entries in the edit buffer, perform this task in privileged mode:

Task

Command

Roll back adjacency table entries in the edit buffer.

rollback security acl {acl_name | all | adjacency}

This example shows how to roll back adjacency table entries in the edit buffer:
Console> (enable) rollback security acl adjacency
Editbuffer for adjacency info rolled back to last commit state.
Console> (enable) 
Configuring Hosts for PBF

This section provides host configuration procedures for the following platforms and operating systems:

•Linux

•Sun Workstation

•MS-Windows/NT/2000 Hosts

Note When a router is not present in the network, you need to specify static ARP entries on participating hosts. The host's ARP table maps the IP address of the host device to the MAC address of the PFC2.

Note The IP addresses in the following examples are the IP addresses used in Figure 16-8. These IP addresses were randomly selected; make sure that the IP addresses you use in your network configuration are unique.

Linux

These examples show how to configure the ARP table for hosts running the Linux operating system.

This example shows how to configure Host A:
arp -s 11.0.0.1 00:11:11:11:11:11 -i eth0
route add 11.0.0.1 eth0
arp -s 10.0.0.1 00:11:11:11:11:11 -i eth1
route add 10.0.0.1 eth1
Sun Workstation

When using PBF to enable forwarding between two VLANs with Sun Workstation end hosts, note that there are limitations you must take into account when configuring the hosts.

PBF Limitations

PBF does not support ARP; you must set a static ARP entry on each Sun Workstation that participates in PBF. Each static ARP entry must point to the PBF MAC address that is mapped to the destination host.

You must also configure the Sun Workstation to have a gateway. If the Sun Workstation needs to communicate to a different network, you must define the host routes for all networks that go through PBF, and if required, you must define a default gateway.

For example, if host 10.0.0.1 on VLAN 40 needs to communicate with host 11.0.0.1 on VLAN 50, and assuming the PBF MAC address is 00-11-11-11-11-11, the static ARP entry would be as follows:
arp -s 11.0.0.1 00:11:11:11:11:11
where 00-11-11-11-11-11 is the PBF MAC address, and 11.0.0.1 is the IP address of the destination host.

Sun Workstation Limitations

Sun Workstations do not allow you to set a static ARP entry if the destination is part of a different network (11.x.x.x in this example). This is a limitation of ARP in all Sun Workstations. To overcome this problem, you need to define a dummy gateway, which is a host route, and set a static ARP entry pointing to the PBF MAC address mapped to the destination host.

Using the example above, you need to first define a dummy static ARP entry for the gateway. The IP address of the gateway is one of the host addresses within that network as follows:
(A)	Kubera# arp -s 10.0.0.2  00:11:11:11:11:11
(B)	Kubera# route add host  11.0.0.1 10.0.0.2
You need to set only one dummy ARP entry for PBF-related traffic and the host routes for each destination host.

If the number of hosts increase, you need to set the host route entries for each destination host. You can set up a startup file in /etc/rc2.d which has host route entries for each of the destination hosts. Setting up this file prevents you from having to key in all the host route entries after the Workstation is reset or rebooted.

Entries in the file should use this form:
	Route add host <destination Host IP Address> <dummy gateway IP Address>
The file that contains the host route entries needs to be started as one of the startup scripts. You can create the file in a directory that has full permissions for the root/superuser, set a soft link pointing to that file in /etc/rc2.d, or create the file in the /etc/rc2.d directory itself.

MS-Windows/NT/2000 Hosts

Similar to Sun Workstations setup, you must also set static ARP entries on Windows-based PCs. For Windows-based PCs, you do not need to set up any dummy gateways for switching between VLANs with PBF.

This example shows how to configure static ARP entries in Windows-based platforms:
C:\> arp -s 11.0.0.1 00-11-11-11-11-11
In this example, 00-11-11-11-11-11 is the PBF MAC address and 11.0.0.1 is the IP address of the destination host.

If you need to configure more hosts, you can create a batch file with ARP entries to each destination host and specify that Windows use this file at startup.

Policy-Based Forwarding Configuration Example

This section provides example configurations to enable PBF between hosts on VLAN 1 and hosts on VLAN 2 (see Figure 16-9).

Figure 16-9 Policy-Based Forwarding Configuration Example

This example shows the switch configuration file that was created to enable PBF between the hosts on VLAN 1 and VLAN 2. Only the first four hosts from each VLAN are shown in the example (44.0.0.1 through 44.0.0.4 and 43.0.0.1 through 43.0.0.4).
#security ACLs
clear security acl all
#adj set
set security acl adjacency a_1 2 00-0a-0a-0a-0a-0a 
set security acl adjacency a_2 2 00-0a-0a-0a-0a-0b 
set security acl adjacency a_3 2 00-0a-0a-0a-0a-0c 
set security acl adjacency a_4 2 00-0a-0a-0a-0a-0d 
set security acl adjacency b_1 1 00-20-20-20-20-20 
set security acl adjacency b_2 1 00-20-20-20-20-21 
set security acl adjacency b_3 1 00-20-20-20-20-22 
set security acl adjacency b_4 1 00-20-20-20-20-23 
#ip1
set security acl ip ip1 permit arp 
set security acl ip ip1 redirect  a_1  ip host 44.0.0.1 host 43.0.0.1 
set security acl ip ip1 redirect  a_2  ip host 44.0.0.2 host 43.0.0.2 
set security acl ip ip1 redirect  a_3  ip host 44.0.0.3 host 43.0.0.3 
set security acl ip ip1 redirect  a_4  ip host 44.0.0.4 host 43.0.0.4 
set security acl ip ip1 permit ip any any 
#ip2
set security acl ip ip2 permit arp 
set security acl ip ip2 redirect  b_1  ip host 43.0.0.1 host 44.0.0.1 
set security acl ip ip2 redirect  b_2  ip host 43.0.0.2 host 44.0.0.2 
set security acl ip ip2 redirect  b_3  ip host 43.0.0.3 host 44.0.0.3 
set security acl ip ip2 redirect  b_4  ip host 43.0.0.4 host 44.0.0.4 
set security acl ip ip2 permit ip any any 
#pbf set
set pbf mac 00-11-22-33-44-55
#
commit security acl all
set security acl map ip1 1
set security acl map ip2 2
This example shows how to display MAC addresses learned by the switch for port 6/17 on VLAN 1:
Console> (enable) show cam dynamic 6/17
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type] 
----  ------------------    -----  -------------------------------------------
1     00-20-20-20-20-23             6/17 [ALL]
1     00-20-20-20-20-22             6/17 [ALL]
1     00-20-20-20-20-21             6/17 [ALL]
1     00-20-20-20-20-20             6/17 [ALL]
1     00-20-20-20-20-27             6/17 [ALL]
1     00-20-20-20-20-26             6/17 [ALL]
1     00-20-20-20-20-25             6/17 [ALL]
1     00-20-20-20-20-24             6/17 [ALL]
1     00-20-20-20-20-2b             6/17 [ALL]
1     00-20-20-20-20-2a             6/17 [ALL]
1     00-20-20-20-20-29             6/17 [ALL]
1     00-20-20-20-20-28             6/17 [ALL]
1     00-20-20-20-20-2f             6/17 [ALL]
1     00-20-20-20-20-2e             6/17 [ALL]
1     00-20-20-20-20-2d             6/17 [ALL]
1     00-20-20-20-20-2c             6/17 [ALL]
Total Matching CAM Entries Displayed for 6/17 = 16 for port 6/9, vlan 2
This example shows how to display MAC addresses learned by the switch for port 6/9 on VLAN 2:
Console> (enable) show cam dynamic 6/9 
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type] 
----  ------------------    -----  -------------------------------------------
2     00-0a-0a-0a-0a-0e             6/9 [ALL]
2     00-0a-0a-0a-0a-0f             6/9 [ALL]
2     00-0a-0a-0a-0a-0c             6/9 [ALL]
2     00-0a-0a-0a-0a-0d             6/9 [ALL]
2     00-0a-0a-0a-0a-0a             6/9 [ALL]
2     00-0a-0a-0a-0a-0b             6/9 [ALL]
2     00-0a-0a-0a-0a-19             6/9 [ALL]
2     00-0a-0a-0a-0a-18             6/9 [ALL]
2     00-0a-0a-0a-0a-17             6/9 [ALL]
2     00-0a-0a-0a-0a-16             6/9 [ALL]
2     00-0a-0a-0a-0a-15             6/9 [ALL]
2     00-0a-0a-0a-0a-14             6/9 [ALL]
2     00-0a-0a-0a-0a-13             6/9 [ALL]
2     00-0a-0a-0a-0a-12             6/9 [ALL]
2     00-0a-0a-0a-0a-11             6/9 [ALL]
2     00-0a-0a-0a-0a-10             6/9 [ALL]
Total Matching CAM Entries Displayed for 6/9 = 16
This example shows how to display the PBF status and the PFC2 MAC address:
Console> (enable) show pbf 
Pbf status    Mac address
-----------   ------------------
ok            00-11-22-33-44-55
This example shows how to display the PBF statistics:
Console> (enable) show pbf statistics 
Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name
-------------------------------------------------------------------------
1         2      00-0a-0a-0a-0a-0a  00-11-22-33-44-55  0x00026d7c    a_1
2         2      00-0a-0a-0a-0a-0b  00-11-22-33-44-55  0x00026d83    a_2
3         2      00-0a-0a-0a-0a-0c  00-11-22-33-44-55  0x00026d89    a_3
4         2      00-0a-0a-0a-0a-0d  00-11-22-33-44-55  0x00026d90    a_4
5         1      00-20-20-20-20-20  00-11-22-33-44-55  0x000260e3    b_1
6         1      00-20-20-20-20-21  00-11-22-33-44-55  0x000260ea    b_2
7         1      00-20-20-20-20-22  00-11-22-33-44-55  0x000260f1    b_3
8         1      00-20-20-20-20-23  00-11-22-33-44-55  0x000260f8    b_4