Catalyst 6500 Series Software Configuration Guide, 7.6
Configuring Access Control
Download this chapter
Configuring Access ControlConfiguring Access Control
Download the complete book
Book-level PDF: Catalyst 6500 Series Software Configuration Guide, 7.6Book-level PDF: Catalyst 6500 Series Software Configuration Guide, 7.6 (PDF - 11 MB)
give_us_feedback

Table Of Contents

Configuring Access Control

Understanding How ACLs Work

Hardware Requirements

Supported ACLs

QoS ACLs

Cisco IOS ACLs

VACLs

VACL Overview

ACEs Supported in VACLs

Handling Fragmented and Unfragmented Traffic

Applying Cisco IOS ACLs and VACLs on VLANs

Bridged Packets

Routed Packets

Multicast Packets

Using Cisco IOS ACLs in your Network

Hardware and Software Handling of Cisco IOS ACLs with PFC

Security Cisco IOS ACLs

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Hardware and Software Handling of Cisco IOS ACLs with PFC2

Security Cisco IOS ACLs

Rate Limiting for Cisco IOS ACL Logging

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Using VACLs with Cisco IOS ACLs

Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines

Using the Implicit Deny Action

Grouping Actions Together

Limiting the Number of Actions

Avoiding Layer 4 Port Information

Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1)

Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases

Layer 4 Operations Configuration Guidelines

Determining Layer 4 Operation Usage

Determining Logical Operation Unit Usage

Using VACLs in your Network

Wiring Closet Configuration

Redirecting Broadcast Traffic to a Specific Server Port

Restricting the DHCP Response for a Specific Server

Denying Access to a Server on Another VLAN

Restricting ARP Traffic

Inspecting ARP Traffic

Overview

Implementation

ARP Traffic Inspection Configuration Guidelines

ARP Traffic Inspection Configuration Procedures

Configuring ACLs on Private VLANs

Capturing Traffic Flows

Unsupported Features

Configuring VACLs on the Switch

VACL Configuration Guidelines

VACL Configuration Summary

Configuring VACLs from the CLI

Specifying the ACL-Merge Algorithm

Creating an IP VACL and Adding ACEs

Creating an IPX VACL and Adding ACEs

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Committing ACLs

Mapping a VACL to a VLAN

Showing the Contents of a VACL

Showing VACL-to-VLAN Mapping

Clearing the Edit Buffer

Removing ACEs from Security ACLs

Clearing the Security ACL Map

Displaying VACL Management Information

Capturing Traffic Flows on Specified Ports

Configuring VACL Logging

Configuring and Storing VACLs and QoS ACLs in Flash Memory

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

Manually Moving the VACL and QoS ACL Configuration to Flash Memory

Running with the VACL and QoS ACL Configuration in Flash Memory

Moving the VACL and QoS ACL Configuration Back to NVRAM

Redundancy Synchronization Support

Interacting with High Availability

Configuring Policy-Based Forwarding

Understanding How PBF Works

PBF Hardware and Software Requirements

Configuring PBF

Enabling PBF and Specifying a MAC Address for the PFC2

Configuring VACLs for PBF

Displaying PBF Information

Clearing Entries in PBF VACLs

Rolling Back Adjacency Table Entries in the Edit Buffer

Configuring Hosts for PBF

PBF Configuration Example

Enhancements to PBF Configuration

PBF Configuration Enhancement Overview

Specifying a PBF_MAP_ACL

Displaying the PBF_MAP_ACL Information

Clearing the PBF_MAP_ACL Configuration


Configuring Access Control

This chapter describes how to configure access control lists (ACLs) on the Catalyst 6500 series switches. Configuration of the ACLs depends on the type of hardware that you install on your supervisor engine. See the "Hardware Requirements" section for details.

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

This chapter consists of these sections:

Understanding How ACLs Work

Hardware Requirements

Supported ACLs

Applying Cisco IOS ACLs and VACLs on VLANs

Using Cisco IOS ACLs in your Network

Using VACLs with Cisco IOS ACLs

Using VACLs in your Network

Unsupported Features

Configuring VACLs on the Switch

Configuring and Storing VACLs and QoS ACLs in Flash Memory

Configuring Policy-Based Forwarding

Note Except where specifically differentiated, the information and procedures in this chapter apply to both Supervisor Engine 2 with Layer 3 Switching Engine II (Policy Feature Card 2 or PFC2) and Supervisor Engine 1 with Layer 3 Switching Engine II (Policy Feature Card or PFC).

Understanding How ACLs Work

Traditionally, switches operated at Layer 2 only; switches switched traffic within a VLAN and routers routed traffic between VLANs. Catalyst 6500 series switches with the Multilayer Switch Feature Card (MSFC) can accelerate packet routing between VLANs by using Layer 3 switching (Multilayer Switching [MLS]). The switch first bridges the packet, the packet is then routed internally without going to the router, and then the packet is bridged again to send it to its destination. During this process, the switch can access control all packets it switches including packets bridged within a VLAN.

Cisco IOS ACLs provide access control for routed traffic between VLANs, and VLAN ACLs (VACLs) provide access control for all packets.

Standard and extended Cisco IOS ACLs are used to classify packets. Classified packets can be subject to a number of features such as access control (security), encryption, policy-based routing, and so on. Standard and extended Cisco IOS ACLs are only configured on router interfaces and applied on routed packets.

VACLs can provide access control based on Layer 3 addresses for IP and IPX protocols. Unsupported protocols are access controlled through MAC addresses. A VACL is applied to all packets (bridged and routed) and can be configured on any VLAN interface. Once a VACL is configured on a VLAN, all packets (routed or bridged) entering the VLAN are checked against the VACL. Packets can either enter the VLAN through a switch port or through a router port after being routed.

Hardware Requirements

The hardware that is required to configure ACLs on Catalyst 6500 series switches is as follows:

Cisco IOS ACLs:

Policy Feature Card (PFC) and MSFC or MSFC2

PFC2 and MSFC2

VACLs and QoS ACLs:

PFC

PFC2

Note The quality of service (QoS) feature set that is supported on your switch is determined by the switching engine daughter card that is installed on the supervisor engine. See Chapter 43, "Configuring QoS" for more information.

Supported ACLs

These sections describe the ACLs that are supported by the Catalyst 6500 series switches:

QoS ACLs

Cisco IOS ACLs

VACLs

QoS ACLs

You can configure QoS ACLs on the switch; see Chapter 43, "Configuring QoS."

Cisco IOS ACLs

Cisco IOS ACLs are configured on the MSFC VLAN interfaces. An ACL provides access control and consists of an ordered set of access control entries (ACEs). Many other features also use ACLs for specifying flows. For example, Web Cache Redirect (through the Web Cache Coordination Protocol [WCCP]) uses ACLs to specify HTTP flows that can be redirected to a Web cache engine.

Most Cisco IOS features are applied on interfaces for specific directions (inbound versus outbound). However, some features use ACLs globally. For such features, ACLs are applied on all interfaces for a given direction. As an example, TCP intercept uses a global ACL that is applied on all interfaces for outbound direction.

One Cisco IOS ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single ACL is used by multiple features, Cisco IOS software examines it multiple times.

Cisco IOS software examines the ACLs that are associated with the features that are configured on a given interface and a direction. As packets enter the router on a given interface, Cisco IOS software examines the ACLs that are associated with all the inbound features that are configured on that interface for the following:

Inbound ACLs (standard, extended, and/or reflexive)

Encryption ACLs (not supported on the MSFC)

Policy routing ACLs

Network Address Translation (NAT) for outside-to-inside translation

After packets are routed and before they are forwarded out to the next hop, Cisco IOS software examines all ACLs that are associated with outbound features configured on the egress interface for the following:

Outbound ACLs (standard, extended, and/or reflexive)

Encryption ACLs (not supported on the MSFC)

NAT ACLs (for inside-to-outside translation)

WCCP ACL

TCP intercept ACL

VACLs

The following sections describe VACLs:

VACL Overview

ACEs Supported in VACLs

Handling Fragmented and Unfragmented Traffic

VACL Overview

VACLs can access control all traffic. You can configure VACLs on the switch to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and redirecting traffic to specific physical switch ports. Unlike Cisco IOS ACLs, VACLs are not defined by direction (input or output).

You can configure VACLs on Layer 3 addresses for IP and IPX. All other protocols are access controlled through MAC addresses and Ethertype using MAC VACLs.

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

You can enforce VACLs only on packets going through the Catalyst 6500 series switch; you cannot enforce VACLs on traffic between hosts on a hub or another switch that is connected to the Catalyst 6500 series switch.

ACEs Supported in VACLs

A VACL contains an ordered list of access control entries (ACEs). Each VACL can contain ACEs of only one type. Each ACE contains a number of fields that are matched against the contents of a packet. Each field can have an associated bit mask to indicate which bits are relevant. An action is associated with each ACE that describes what the system should do with the packet when a match occurs. The action is feature dependent. Catalyst 6500 series switches support three types of ACEs in the hardware:

IP ACEs

IPX ACEs

Ethernet ACEs

Table 16-1 lists the parameters associated with each ACE type.

Table 16-1 ACE Types and Parameters 

ACE Type
TCP or UDP1
ICMP1
Other IP1
IPX
Ethernet2

Layer 4 parameters

Source port

       

Source port operator

       

Destination port

       

Destination port operator

ICMP code1

     

N/A

ICMP type

N/A

   

Layer 3 parameters

IP ToS byte

IP ToS byte

IP ToS byte

   

IP source address

IP source address

IP source address

IPX source network

 

IP destination address

IP destination address

IP destination address

IPX destination network

 
     

IPX destination node

 

TCP or UDP

ICMP

Other protocol

IPX packet type

 

Layer 2 parameters

       

Ethertype

       

Ethernet source address

       

Ethernet destination address

1 IP ACEs.

2 For Ethernet packets that are not IP version 4 or IPX.


Handling Fragmented and Unfragmented Traffic

TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4 source/destination ports). This situation makes it difficult to enforce security that is based on the application. However, you can identify fragments and distinguish them from the rest of the TCP/UDP traffic.

Layer 4 parameters of ACEs can filter unfragmented traffic and fragmented traffic with fragments that have offset 0. IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot be filtered. The following examples show how ACEs handle packet fragmentation.

This example shows that if the traffic from 1.1.1.1 port 68 is fragmented, only the first fragment goes to port 4/3, and the rest of the traffic from port 68 does not hit this entry. 

redirect 4/3 tcp host 1.1.1.1 eq 68 host 255.255.255.255

This example shows that the traffic coming from 1.1.1.1 port 68 and going to 2.2.2.2 port 34 is permitted. If packets are fragmented, the first fragment hits this entry and is permitted; fragments that have an offset other than 0 are also permitted as a default result for fragments. 

permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34

This example shows that the fragment that has offset 0 of the traffic from 1.1.1.1 port 68 going to 2.2.2.2 port 34 is denied. The fragments that have an offset other than 0 are permitted as a default. 

deny tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34

In releases prior to software release 6.1(1), the fragment filtering was completely transparent; you would type an ACE such as permit tcp .... port eq port_number and the software would implicitly install the following ACE at the top of the ACL: permit tcp any any fragments.

In software release 6.1(1) and later releases, there is a fragment option. If you do not specify the fragment keyword, the behavior is the same as in previous releases. If you specify the fragment keyword, the system does not automatically install a global permit statement for fragments. This keyword allows you to control how fragments are handled.

In this example, 10.1.1.2 is configured to serve HTTP connections. If you do not use a fragment ACE, all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added automatically at the top of the ACL as follows: 

permit tcp any any fragments

1. permit tcp any host 10.1.1.2 eq www

2. deny ip any host 10.1.1.2

3. permit ip any any

In the above example, if you change the entry 1 as follows:

1. deny tcp any host 10.1.1.2 eq www

a permit tcp any any fragments ACE will not be added at the top of ACL. If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

When you specify the fragment keyword, the system does not install the global permit TCP or UDP fragments statement. When you specify the fragment keyword for at least one ACE, the software implicitly installs ACEs to permit flows to a specific IP address (or subnet) that you specify.

In this ACL example, the deny tcp any host 10.1.1.2 fragment entry stops fragmented traffic going to all TCP ports on host 10.1.1.2. Later in the ACL, the permit udp any host 10.1.1.2 eq 69 entry allows clients to connect to the TFTP server 10.1.1.2. The system automatically installs a permit for all fragments of udp traffic to host 10.1.1.2 ACE; otherwise, fragments would be denied by the entry deny ip any host 10.1.1.2.

1. deny tcp any host 10.1.1.2 fragment

2. permit tcp any host 10.1.1.2 eq www

3. permit udp any host 10.1.1.2 eq 69

4. permit udp any gt 1023 10.1.1.2 gt 1023

5. deny ip any host 10.1.1.2

6. permit ip any any

If you explicitly want to stop fragmented UDP traffic to host 10.1.1.2, enter deny udp any host 10.1.1.2 fragment before entry number 3 as shown in this example:

[...]

3. deny udp any host 10.1.1.2 fragment

4. permit udp any host 10.1.1.2 eq 69

5. permit udp any gt 1023 10.1.1.2 gt 1023

[...]

Applying Cisco IOS ACLs and VACLs on VLANs

This section describes how to apply Cisco IOS ACLs and VACLs to the VLAN for bridged packets, routed packets, and multicast packets.

These sections show how ACLs and VACLs are applied:

Bridged Packets

Routed Packets

Multicast Packets

Bridged Packets

Figure 16-1 shows how an ACL is applied on bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN.

Figure 16-1 Applying ACLs on Bridged Packets

Routed Packets

Figure 16-2 shows how ACLs are applied on routed/Layer 3-switched packets. For routed/Layer 3-switched packets, the ACLs are applied in the following order:

1. VACL for input VLAN

2. Input Cisco IOS ACL

3. Output Cisco IOS ACL

4. VACL for output VLAN

Figure 16-2 Applying ACLs on Routed Packets

Multicast Packets

Figure 16-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order:

1. Packets that need multicast expansion:

a. VACL for input VLAN

b. Input Cisco IOS ACL

2. Packets after multicast expansion:

a. Output Cisco IOS ACL

b. VACL for output VLAN

3. Packets originating from router:

a. VACL for output VLAN

Figure 16-3 Applying ACLs on Multicast Packets

Using Cisco IOS ACLs in your Network

Note Configuring Cisco IOS ACLs on the Catalyst 6500 series switch routed-VLAN interfaces is the same as configuring ACLs on other Cisco routers. To configure Cisco IOS ACLs, see the "Unsupported Features" section and the "VACL Configuration Guidelines" section. In addition, refer to the Cisco IOS configuration guides and command reference publication. For example, to configure ACLs for IP, refer to the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.

When a feature is configured on the router to process traffic (such as NAT), the Cisco IOS ACL that is associated with the feature determines the specific traffic that is bridged to the router instead of being Layer 3 switched. The router then applies the feature and routes the packet normally. Note that there are some exceptions to this process as described in the "Hardware and Software Handling of Cisco IOS ACLs with PFC" section.

Note In systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs.

Caution For PFC: By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachables when a packet is denied by an access group. These access-group denied packets are not dropped in the hardware but are bridged to the MSFC so that the MSFC can generate the ICMP-unreachable message. To drop access-group denied packets in the hardware, you must disable ICMP unreachables using the no ip unreachables interface configuration command. Note that the ip unreachables command is enabled by default.

For PFC2: If IP unreachables or IP redirect is enabled on an interface, the deny is performed in hardware although a small number of packets are sent to the MSFC2 to generate the appropriate ICMP-unreachable messages.

These sections describe hardware and software handling of ACLs with PFC and PFC2:

Hardware and Software Handling of Cisco IOS ACLs with PFC

Hardware and Software Handling of Cisco IOS ACLs with PFC2

Hardware and Software Handling of Cisco IOS ACLs with PFC

This section describes hardware and software handling of Cisco IOS ACLs with the PFC.

Note For information on Cisco IOS ACLs with PFC2, see the "Hardware and Software Handling of Cisco IOS ACLs with PFC2" section.

ACL feature processing requires forwarding of some flows by the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require logging as specified by the ACL are handled in the software without impacting non-log flow forwarding in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for packets access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software:

Security Cisco IOS ACLs

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC are as follows:

The flows that match a "deny" statement in a security ACL are dropped by the hardware if "ip unreachables" is disabled. The flows matching a "permit" statement are switched in the hardware.

Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware.

IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software without impacting other flows.

Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not supported.

IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, and/or destination node. If the ACL contains any other parameters, it is handled in the software.

IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, destination node, and/or protocol type.

ACL flows requiring logging are handled in the software without impacting non-log flow forwarding in the hardware.

Reflexive ACLs

Up to 512 simultaneous reflexive sessions are supported in the hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full flow.

TCP Intercept

The TCP intercept feature implements software to protect the TCP servers from TCP SYN-flooding attacks, which are denial-of-service attacks. TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. This process ensures that connection attempts from the unreachable hosts never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

Policy Routing

Policy routing-required flows are handled in the software without impacting non-policy routed flow forwarding in the hardware. When a route map contains multiple "match" clauses, all conditions imposed by these match clauses must be met before a packet is policy routed. However, for route maps containing both "match ip address" and "match length," all traffic matching the ACL in the "match ip address" clause is forwarded to the software regardless of the match length criteria. For route maps that only contain match length clauses, all packets that are received on the interface are forwarded to the software.

When you enable hardware policy routing using the mls ip pbr global command, all policy routing occurs in the hardware.

Caution If you use the mls ip pbr command to enable policy routing, policy routing is applied in the hardware for all interfaces regardless of which interface was configured for policy routing.

WCCP

HTTP requests that are subject to Web Cache Coordination Protocol (WCCP) redirection are handled in the software; HTTP replies from the server and the Cache Engine are handled in the hardware.

NAT

NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC. For ACL-based RPF checks, traffic that is denied by the unicast RPF ACL is forwarded to the MSFC for RPF validation.

Caution With ACL-based unicast RPF, packets that are denied by the ACL are sent to the CPU for RPF validation. In the event of DoS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU. Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for the ACL-based RPF check is not supported.

Bridge-Groups

Cisco IOS bridge-group ACLs are handled in the software.

Hardware and Software Handling of Cisco IOS ACLs with PFC2

This section describes hardware and software handling of Cisco IOS ACLs with the PFC2.

ACL feature processing requires forwarding some flows to the software. The forwarding rate for software-forwarded flows is substantially less than for hardware-forwarded flows. Flows that require logging as specified by the ACL are handled in the software without impacting non-log flow forwarding in the hardware.

Note When you enter the show ip access-list command, the match count displayed does not account for packets that are access controlled in the hardware.

Note IPX Cisco IOS ACLs with the source host node number specified cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software. This process significantly degrades system performance.

These sections describe how different types of ACLs and traffic flows are handled by the hardware and the software in systems with PFC2:

Security Cisco IOS ACLs

Rate Limiting for Cisco IOS ACL Logging

Reflexive ACLs

TCP Intercept

Policy Routing

WCCP

NAT

Unicast RPF Check

Bridge-Groups

Security Cisco IOS ACLs

The IP and IPX security Cisco IOS ACLs with PFC2 are as follows:

If either the "ip unreachables" or "ip redirect" options are enabled, most of the packets of the flows that match a "deny" statement in an ACL are dropped by the hardware. Only a few packets are processed in software in order for the router to send the appropriate ICMP-unreachable message.

Permit and deny actions of standard and extended ACLs (input and output) for security access control are handled in the hardware.

IP accounting for an ACL access violation on a given interface is supported by forwarding all denied packets for that interface to the software without impacting other flows.

Dynamic (lock and key) ACL flows are supported in the hardware; however, idle timeout is not supported.

IPX standard input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, and/or destination node. If the ACL contains any other parameters, it is handled in the software.

IPX extended input and output ACLs are supported in the hardware when the ACL parameters are IPX source network, destination network, destination node, and/or protocol type.

ACL flows that require logging are handled in the software without impacting non-log flow forwarding in the hardware.

Rate Limiting for Cisco IOS ACL Logging

The rate limiting feature for Cisco IOS ACL logging limits the number of packets that are sent to the MSFC CPU for bridged ACEs. An ACE is bridged when the result for the Cisco IOS ACL is a deny or permit with the log option specified. The bridge action can result in Cisco IOS ACL logging overloading the MSFC CPU. When you configure rate limiting for Cisco IOS ACL logging, the bridged ACEs are redirected to the MSFC with rate limiting.

Configuring Rate Limiting for Cisco IOS ACL Logging Guidelines

This section describes the guidelines for configuring rate limiting for Cisco IOS ACL logging:

After using the set acllog ratelimit rate command or the clear acllog command, you must either reset the MSFC or perform a shut/no shut on the MSFC interface(s) that have ACEs with the log keyword applied.

After entering the set acllog ratelimit rate command, the reset or shut/no shut action causes the bridged ACEs to be redirected to the MSFC with rate limiting.

After entering the clear acllog command, the reset or shut/no shut action causes the system to return to its previous behavior; the bridge action remains unchanged.

The rate specified using the set acllog ratelimit rate command can be from 1 to 1000. The rate is the number of packets per second that hit a redirect ACE and are sent to the MSFC. If the actual number of packets per second is greater than the rate that you specify, the packets that exceed the specified rate are dropped. We recommend that you specify a rate of 500 packets per second.

Configuring Rate Limiting for Cisco IOS ACL Logging

To configure rate limiting for Cisco IOS ACL logging, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable ACL logging and specify a rate for Cisco IOS ACL logging rate limiting.

set acllog ratelimit rate

Step 2 

Show the ACL logging status.

show acllog

This example shows how to enable ACL logging and specify a rate of 500 for Cisco IOS ACL logging rate limiting: 

Console> (enable) set acllog ratelimit 500

If the ACLs-LOG were already applied, the rate limit mechanism will be effective on system 
restart, or after shut/no shut the interface.

Console> (enable) 


Console> (enable) show acllog

ACL log rate limit enabled, rate = 500 pps.

Console> (enable)

This example shows how to clear (disable) ACL logging. After clearing ACL logging, the bridge action remains unchanged; the system behavior is the same as before the set acllog ratelimit command was issued. 

Console> (enable) clear acllog

ACL log rate limit is cleared.

If the ACLs-LOG were already applied, the rate limit mechanism will be disabled on system 
restart, or after shut/no shut the interface.

Console> (enable)

Reflexive ACLs

ICMP packets are handled in the software. For TCP/UDP flows, once the flow is established, they are handled in the hardware. When reflexive ACLs are applied, the flow mask is changed to VLAN-full flow.

TCP Intercept

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are denial-of-service attacks. TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and binds the two half-connections together transparently. This process ensures that connection attempts from the unreachable hosts never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

The hardware support for TCP intercept on a PFC2 is as follows:

1. Once you configure TCP intercept, all TCP SYN packets that match the ACEs with a permit clause in the TCP intercept ACL, and which are permitted by the security ACL, are sent to the software to apply the TCP intercept functionality. This process occurs even if the security ACL does not have the SYN flag specified.

2. If a connection is established successfully, the following applies:

a. If the TCP intercept is using intercept mode with timeout, all traffic belonging to the given connection/flow is handled in the software.

b. For other modes of TCP intercept, once the connection is successfully established, the software installs a hardware shortcut to switch the rest of the flow in the hardware.

3. If a connection is not established successfully, no other traffic can belong to that flow.

Policy Routing

Policy routing-required flows are handled in the hardware or the software depending on the route map. If the route map contains only a "match ip address" and the "set" clause contains the "next hop" and the next hop is reachable, then the packet is forwarded in the hardware. When a route map contains multiple "match" clauses, all conditions that are imposed by these match clauses must be met before a packet is policy routed. However, for route maps containing both a match ip address and match length, all traffic matching the ACL in the match ip address clause is forwarded to the software regardless of the match length criteria. For route maps that only contain match length clauses, all packets that are received on the interface are forwarded to the software.

Note The mls ip pbr command is not required (and not supported) on PFC2.

WCCP

HTTP requests subject to WCCP redirection are handled in the software; HTTP replies from the server and the Cache Engine are handled in the hardware.

NAT

NAT-required flows are handled in the software without impacting non-NAT flow forwarding in the hardware.

Unicast RPF Check

The unicast RPF feature is supported in hardware on the PFC2. For ACL-based RPF checks, traffic that is denied by the unicast RPF ACL is forwarded to the MSFC2 for RPF validation.

Caution With ACL-based unicast RPF, packets that are denied by the ACL are sent to the CPU for RPF validation. In the event of DoS attacks, these packets will most likely match the deny ACE and be forwarded to the CPU. Under heavy traffic conditions, this could cause high CPU utilization.

Note Drop-suppress statistics for the ACL-based RPF check is not supported.

Bridge-Groups

Cisco IOS bridge-group ACLs are handled in the software.

Using VACLs with Cisco IOS ACLs

To access control both bridged and routed traffic, you can use VACLs only or a combination of Cisco IOS ACLs and VACLs. You can define Cisco IOS ACLs on both input and output routed-VLAN interfaces, and you can define a VACL to access control the bridged traffic.

If a flow matches a VACL deny or redirect clause in the ACL, irrespective of the Cisco IOS ACL configuration, the flow is denied or redirected. The following caveats apply to Cisco IOS ACLs when used with VACLs:

Packets that require logging on the outbound ACLs are not logged if they are denied by a VACL.

NAT—VACLs are applied on packets before NAT translation. Note that if the translated flow should not be access controlled, the flow might get access controlled after the translation because of the VACL configuration.

Note VACLs have an implicit deny at the end of the list; a packet is denied if it does not match any VACL ACE.

These sections describe Cisco IOS ACL and VACL configuration guidelines and guidelines for Layer 4 operations:

Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines

Layer 4 Operations Configuration Guidelines

Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines

This section describes the guidelines for configuring a Cisco IOS ACL and a VACL on the same VLAN. These guidelines do not apply to configurations where you are mapping Cisco IOS ACLs and VACLs on different VLANs.

The Catalyst 6500 series switch hardware provides one lookup for security ACLs for each direction (input and output); you must merge a Cisco IOS ACL and a VACL when they are configured on the same VLAN. Merging the Cisco IOS ACL with the VACL might significantly increase the number of ACEs.

If you must configure a Cisco IOS ACL and a VACL on the same VLAN, use the following guidelines for both Cisco IOS ACL and VACL configurations.

Note To display the percentage of ACL storage being used, enter the show security acl resource-usage command.

These sections provide Cisco IOS ACL and VACL configuration guidelines and examples:

Using the Implicit Deny Action

Grouping Actions Together

Limiting the Number of Actions

Avoiding Layer 4 Port Information

Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1)

Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases

Using the Implicit Deny Action

If possible, use the implicit deny action at the end of an ACL (deny any any) and define ACEs to permit only allowed traffic. You can achieve this same effect by defining all the deny entries, and at the end of the list specifying permit ip any any (see Example 1).

Grouping Actions Together

To define multiple actions in an ACL (permit, deny, redirect), group each action type together. Example 3 shows what can happen when you do not group each type together. In the example, the deny action in line 6 was grouped with permit actions. If this deny action is removed, the result of merging would be 53 entries, instead of 329.

Limiting the Number of Actions

An ACL with only permit ACEs has two actions: permit and deny (because of the implicit deny at the end of the list). An ACL with permit and redirect has three actions: permit, redirect, and deny (because of the implicit deny at the end of the list).

When configuring an ACL, the best merge results are obtained when you specify only two different actions: permit and deny, redirect and permit, or redirect and deny.

Note With supervisor engine software release 7.1(1) or later releases, due to an improved algorithm for merging ACLs, you do not need to limit the number of actions when configuring an ACL.

To specify a redirect and deny ACL, do not use any permit ACEs. To specify a redirect and permit ACL, use permit ACEs, redirect ACEs, and for the last ACE, specify permit ip any any. If you specify permit ip any any, you will override the implicit deny ip any at the end of the list (see Example 4).

Avoiding Layer 4 Port Information

Avoid including Layer 4 information in an ACL; adding this information will complicate the merging process. You will obtain the best merge results if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).

If you need to specify the full flow, follow the recommendations in the "Using the Implicit Deny Action" section and "Grouping Actions Together" section. If you cannot follow the recommendation because the ACL has both IP and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list to prioritize the traffic filtering based on IP addresses.

Estimating Merge Results with Supervisor Engine Software Releases Prior to Release 7.1(1)

Note To see a comparison of the merge results when using supervisor engine software releases before software release 7.1(1) versus software releases 7.1(1) or later releases, see the "Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases" section.

If you follow the ACL guidelines when configuring ACLs, you can get a rough estimate of the merge results for ACLs.

The following formula uses ACL A, ACL B, and ACL C. If ACL C is the result of merging ACL A and ACL B, and you know the size of ACL A and ACL B, you can estimate the upper limit of the size of ACL C when no Layer 4 port information has been specified on ACL A and ACL B, as follows:

size of ACL C = (size of ACL A) x (size of ACL B) x (2)

Note In software releases prior to release 7.1(1), the formula is used as a guideline but the number of entries could go well beyond the predicted range. In software release 7.1(1) and later releases, with the new ACL merge algorithm, the formula is accurate for all cases. If Layer 4 port information is specified, the upper limit could be higher even with the new algorithm. See the "Layer 4 Operations Configuration Guidelines" section for detailed information.

There are two ACL-merge algorithms availablethe binary decision diagram (BDD) and the order dependent merge (ODM). ODM is the enhanced algorithm introduced in software release 7.1(1). The BDD algorithm is used in software releases prior to release 7.1(1). See the "Specifying the ACL-Merge Algorithm" section for detailed configuration information.

These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.

Example 1

This example shows that the VACL does not follow the recommended guidelines (in line 9 a deny action is defined instead of using the implicit deny action at the end of the ACL) and the resultant merge increases the number of ACEs: 

******** VACL  ***********

1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15

2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps

3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog

4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs

5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp

6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023

7  permit tcp any host 194.72.6.52

8  permit tcp any host 194.72.6.52 eq 113

9  deny tcp any host 194.72.6.51 eq ftp

10 permit tcp any host 194.72.6.51 eq ftp-data

11 permit tcp any host 194.72.6.51

12 permit tcp any eq domain host 194.72.6.51

13 permit tcp any host 194.72.6.51 gt 1023

14 permit ip  any host 1.1.1.1

******** Cisco IOS ACL ************

1  deny ip any host 239.255.255.255

2  permit ip any any

******** MERGE **********

has 91 entries entries

Example 2

In Example 1, if you follow the guidelines and remove line 9 (the implicit deny is then used at the end of the ACL) and modify lines 11 and 12 (lines 11 and 12 are modified so that the traffic that line 9 would have dropped is not permitted), you get the following equivalent ACL with improved merge results: 

******** VACL **********

1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15

2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps

3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog

4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs

5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp

6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023

7  permit tcp any host 194.72.6.52

8  permit tcp any host 194.72.6.52 eq 113

9  permit tcp any host 194.72.6.51 eq ftp-data

10 permit tcp any host 194.72.6.51 neq ftp

11 permit tcp any eq domain host 194.72.6.51 neq ftp

12 permit tcp any host 194.72.6.51 gt 1023

13 permit ip  any host 1.1.1.1

******** Cisco IOS ACL ************

1  deny ip any host 239.255.255.255

2  permit ip any any

******** MERGE ***********

has 78 entries

Example 3

This example shows that the VACL does not follow the recommended guidelines (all action types are not grouped together), and the resultant merge significantly increases the number of ACEs: 

******** VACL  ***********

1  deny ip 0.0.0.0 255.255.255.0 any

2  deny ip 0.0.0.255 255.255.255.0 any

3  deny ip any 0.0.0.0 255.255.255.0

4  permit ip any host 239.255.255.255

5  permit ip any host 255.255.255.255

6  deny ip any 0.0.0.255 255.255.255.0

7  permit tcp any range 0 65534 any range 0 65534

8  permit udp any range 0 65534 any range 0 65534

9  permit icmp any any

10 permit ip any any

******** Cisco IOS ACL **********

1  deny ip any host 239.255.255.255

2  permit ip any any

******** MERGE **********

has 329 entries

Example 4

This example shows that the VACL does not follow the recommended guidelines (three different actions are specified), and the resultant merge significantly increases the number of ACEs: 

******** VACL  ***********

1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255

2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255

3 deny tcp any any lt 30

4 deny udp any any lt 30

5 permit ip any any

*******  Cisco IOS ACL *********** 

1  deny ip any host 239.255.255.255

2  permit ip any any

*******  MERGE ********** 

has 142 entries

Example 5

This example shows that if you modify the VACL in Example 4 and specify only two different actions, the merge results are significantly improved: 

******** VACL  ***********

1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255

2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255

3 permit ip any any

*******  Cisco IOS ACL ***********

1  deny ip any host 239.255.255.255

2  permit ip any any

*******  MERGE **********

has 4 entries

Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases

In supervisor engine software releases prior to software release 7.1(1), the following formula is true for software release 7.1(1) and later releases: The size of ACL C = (size of ACL A) x (size of ACL B) x (2).

Note In software releases prior to release 7.1(1), the formula is used as a guideline but the number of entries could go well beyond the predicted range. In software release 7.1(1) and later releases, with the new ACL merge algorithm, the formula is accurate for all cases. If Layer 4 port information is specified, the upper limit could be higher even with the new algorithm. See the "Layer 4 Operations Configuration Guidelines" section for detailed information.

There are two ACL-merge algorithms availablethe binary decision diagram (BDD) and the order dependent merge (ODM). ODM is the enhanced algorithm introduced in software release 7.1(1). The BDD algorithm is used in software releases prior to release 7.1(1).See the "Specifying the ACL-Merge Algorithm" section for detailed configuration information.

Examples

These examples show the merge results for various Cisco IOS ACL and VACL configurations. Note that in these examples, one VACL and one Cisco IOS ACL are configured on the same VLAN.

Example 1 

******** VACL  ***********

1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15

2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps

3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog

4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs

5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp

6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023

7  permit tcp any host 194.72.6.52

8  permit tcp any host 194.72.6.52 eq 113

9  deny tcp any host 194.72.6.51 eq ftp

10 permit tcp any host 194.72.6.51 eq ftp-data

11 permit tcp any host 194.72.6.51

12 permit tcp any eq domain host 194.72.6.51

13 permit tcp any host 194.72.6.51 gt 1023

14 permit ip  any host 1.1.1.1

******** Cisco IOS ACL ************

1  deny ip any host 239.255.255.255

2  permit ip any any

*******  MERGE **********

Using the new algorithm - 17 entries

Using the old algorighm - 91 entries

Example 2 

******** VACL  **********

1  permit udp host 194.72.72.33 194.72.6.160 0.0.0.15

2  permit udp host 147.150.213.94 194.72.6.64 0.0.0.15 eq bootps

3  permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog

4  permit udp host 167.221.23.1 host 194.72.6.198 eq tacacs

5  permit udp 194.72.136.1 0.0.3.128 194.72.6.64 0.0.0.15 eq tftp

6  permit udp host 193.6.65.17 host 194.72.6.205 gt 1023

7  permit tcp any host 194.72.6.52

8  permit tcp any host 194.72.6.52 eq 113

9  permit tcp any host 194.72.6.51 eq ftp-data

10 permit tcp any host 194.72.6.51 neq ftp

11 permit tcp any eq domain host 194.72.6.51 neq ftp

12 permit tcp any host 194.72.6.51 gt 1023

13 permit ip  any host 1.1.1.1

******** Cisco IOS ACL ************

1  deny ip any host 239.255.255.255

2  permit ip any any

******** MERGE ***********

Using the new algorithm - 16 entries

Using the old algorithm - 78 entries

Example 3 

******** VACL  ***********

1  deny ip 0.0.0.0 255.255.255.0 any

2  deny ip 0.0.0.255 255.255.255.0 any

3  deny ip any 0.0.0.0 255.255.255.0

4  permit ip any host 239.255.255.255

5  permit ip any host 255.255.255.255

6  deny ip any 0.0.0.255 255.255.255.0

7  permit tcp any range 0 65534 any range 0 65534

8  permit udp any range 0 65534 any range 0 65534

9  permit icmp any any

10 permit ip any any

******** Cisco IOS ACL **********

1  deny ip any host 239.255.255.255

2  permit ip any any

******** MERGE **********

Using the new algorithm - 12 entries

Using the old algorithm - 303 entries

Example 4 

******** VACL  ***********

1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255

2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255

3 deny tcp any any lt 30

4 deny udp any any lt 30

5 permit ip any any

*******  Cisco IOS ACL *********** 

1  deny ip any host 239.255.255.255

2  permit ip any any

*******  MERGE ********** 


Using the new algorithm - 6 entries

Using the old algorithm - 142 entries

Example 5 

******** VACL  ***********

1 redirect 4/25 tcp host 192.168.1.67 host 255.255.255.255

2 redirect 4/25 udp host 192.168.1.67 host 255.255.255.255

3 permit ip any any

*******  Cisco IOS ACL ***********

1  deny ip any host 239.255.255.255

2  permit ip any any

*******  MERGE **********


Using the new algorithm - 4 entries

Using the old algorithm - 4 entries

Layer 4 Operations Configuration Guidelines

These sections provide the guidelines for using Layer 4 port operations:

Determining Layer 4 Operation Usage

Determining Logical Operation Unit Usage

Determining Layer 4 Operation Usage

The switch hardware allows you to specify these types of operations:

gt (greater than)

lt (less than)

neq (not equal)

eq (equal)

range (inclusive range)

We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.

Note If you have a Cisco IOS ACL and a VACL on the same VLAN interface, the recommended total number of Layer 4 operations is still nine or less.

Use the following two guidelines to determine Layer 4 operation usage:

1. Layer 4 operations are considered different if the operator or the operand differ. For example, in this ACL there are four different Layer 4 operations ("gt 10" and "gt 11" are considered two different Layer 4 operations): 

... gt 10 permit

... lt 9 deny

... gt 11 deny

... neq 6 redirect

Note There is no limit to the use of "eq" operators because the "eq" operator does not use a logical operator unit (LOU) or a Layer 4 operation bit. See the "Determining Logical Operation Unit Usage" section for a description of LOUs.

2. Layer 4 operations are considered different if the same operator/operand couple applies once to a source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port. 

... Src gt 10 ...

... Dst gt 10

Note Check the ACL Layer 4 port operations resource usage using the show security acl resource-usage command.

Determining Logical Operation Unit Usage

LOUs are registers that store operator/operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator/operand couples with the exception of the range
operator. LOU usage per Layer 4 operation is as follows:

gt uses 1/2 LOU

lt uses 1/2 LOU

neq uses 1/2 LOU

range uses 1 LOU

eq does not require a LOU

For example, this ACL would use a single LOU to store two different operator/operand couples: 

... Src gt 10 ...

... Dst gt 10

A more detailed example follows: 

ACL1

... (dst port) gt 10 permit

... (dst port) lt 9 deny

... (dst port) gt 11 deny

... (dst port) neq 6 redirect

... (src port) neq 6 redirect

... (dst port) gt 10 deny


ACL2

... (dst port) gt 20 deny

... (src port) lt 9 deny

... (src port) range 11 13 permit

... (dst port) neq 6 redirect

The Layer 4 operations and LOU usage is as follows:

ACL1 Layer 4 operations: 5

ACL2 Layer 4 operations: 4

LOUs: 4

An explanation of the LOU usage follows:

LOU 1 stores "gt 10" and "lt 9"

LOU 2 stores "gt 11" and "neq 6"

LOU 3 stores "gt 20" (with space for one more)

LOU 4 stores "range 11 13" (range needs the entire LOU)

Using VACLs in your Network

This section describes some typical uses for VACLs and includes the following:

Wiring Closet Configuration

Redirecting Broadcast Traffic to a Specific Server Port

Restricting the DHCP Response for a Specific Server

Denying Access to a Server on Another VLAN

Restricting ARP Traffic

Inspecting ARP Traffic

Configuring ACLs on Private VLANs

Capturing Traffic Flows

Wiring Closet Configuration

In a wiring closet configuration, Catalyst 6500 series switches might not be equipped with MSFCs (routers). In this configuration, the switch can still support a VACL and a QoS ACL. Suppose that Host X and Host Y are in different VLANs and are connected to wiring closet Switch A and Switch C (see Figure 16-4). Traffic from Host X to Host Y is eventually being routed by the switch equipped with the MSFC. Traffic from Host X to Host Y can be access controlled at the traffic entry point, Switch A.

If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VACL on Switch A. All HTTP traffic from Host X to Host Y would be dropped at Switch A and not be bridged to the switch with the MSFC.

Figure 16-4 Wiring Closet Configuration

Redirecting Broadcast Traffic to a Specific Server Port

Some application traffic uses broadcast packets that reach every host in a VLAN. With VACLs, you can redirect these broadcast packets to the intended application server port.

Figure 16-5 shows an application broadcast packet from Host A being redirected to the target application server port and preventing other ports from receiving the packet.

To redirect broadcast traffic to a specific server port, perform this task in privileged mode (TCP port 5000 is the intended server application port):

 
Task
Command

Step 1 

Redirect the broadcast packets.

set security acl ip SERVER redirect 4/1 tcp any host 255.255.255.255 eq 5000

Step 2 

Permit all other traffic.

set security acl ip SERVER permit ip any any

Step 3 

Commit the VACL.

commit security acl SERVER

Step 4 

Map the VACL to VLAN 10.

set security acl map SERVER 10

Note You could apply the same concept to direct broadcast traffic to a multicast destination by redirecting the traffic to a group of ports (see Figure 16-5).

Figure 16-5 Redirecting Broadcast Traffic to a Specific Server Port

Restricting the DHCP Response for a Specific Server

When Dynamic Host Configuration Protocol (DHCP) requests are broadcast, they reach every DHCP server in the VLAN and multiple responses are returned. With VACLs, you can restrict the response from a specific DHCP server and drop the other responses.

To restrict DHCP responses for a specific server, perform this task in privileged mode (the target DHCP server IP address is 1.2.3.4):

 
Task
Command

Step 1 

Permit a DHCP response from host 1.2.3.4.

set security acl ip SERVER permit udp host 1.2.3.4 any eq 68

Step 2 

Deny DHCP responses from any other host.

set security acl ip SERVER deny udp any any eq 68

Step 3 

Permit other IP traffic.

set security acl ip SERVER permit any

Step 4 

Commit the VACL.

commit security acl SERVER

Step 5 

Map the VACL to VLAN 10.

set security acl map SERVER 10

Figure 16-6 shows that only the target server returns a DHCP response from the DHCP request.

Figure 16-6 Redirect DHCP Response for a Specific Server

Denying Access to a Server on Another VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 16-7):

Hosts in subnet 10.1.2.0/24 in VLAN 20 should not have access.

Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.

To deny access to a server on another VLAN, perform this task in privileged mode:

 
Task
Command

Step 1 

Deny traffic from hosts in subnet 10.1.2.0/8.

set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.1.100

Step 2 

Deny traffic from host 10.1.1.4.

set security acl ip SERVER deny ip host 10.1.1.4 host 10.1.1.100

Step 3 

Deny traffic from host 10.1.1.8.

set security acl ip SERVER deny ip host 10.1.1.8 host 10.1.1.100

Step 4 

Permit other IP traffic.

set security acl ip SERVER permit ip any any

Step 5 

Commit the VACL.

commit security acl SERVER

Step 6 

Map the VACL to VLAN 10.

set security acl map SERVER 10

Figure 16-7 Deny Access to a Server on Another VLAN

Restricting ARP Traffic

Note This feature is only available with Supervisor Engine 2 with PFC2.

ARP traffic is permitted on each VLAN by default. You can disallow ARP traffic on a per-VLAN basis using the set security acl ip acl_name deny arp command. When you enter this command, ARP traffic is disallowed on the VLAN to which the ACL is mapped. To allow ARP traffic on a VLAN that has had ARP traffic disallowed, enter the set security acl ip acl_name permit arp command.

Inspecting ARP Traffic

Note This feature is only available with Supervisor Engine 2 with PFC2.

These sections describe the ARP traffic inspection feature:

Overview

Implementation

ARP Traffic Inspection Configuration Guidelines

ARP Traffic Inspection Configuration Procedures

Overview

ARP is a simple protocol that does not have an authentication mechanism so there is no way to ensure that ARP requests and replies are genuine. Without an authentication mechanism, a malicious user/host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge domain.

For example, user/Host A (the malicious user) can send unsolicited ARP replies (or gratuitous ARP packets) to other hosts on the subnet with the IP address of the default router and the MAC address of Host A. With some earlier operating systems, even if a host already has a static ARP entry for the default router, the newly advertised binding from Host A is learned. If Host A enables IP forwarding and forwards all packets from the "spoofed" hosts to the router and vice versa, then Host A can carry out a man-in-the-middle attack (for example, using the program dsniff) without the spoofed hosts realizing that all of their traffic is being sniffed.

The ARP inspection feature allows you to configure a set of order-dependent rules within the security ACL (VACL) framework to prevent ARP table attacks.

Implementation

If a specific rule in ARP traffic inspection exists in the VACL on a VLAN, all ARP packets are index-directed to the CPU through the ACEs in the VACL. The packets are inspected by the ARP inspection task for conformance to the specified rules. Conforming packets are forwarded while nonconforming packets are dropped and logged (if logging is enabled).

The rules for ARP traffic inspection specify the ARP bindings for specified IP addresses as shown in the example that follows: 

permit arp-inspection host 10.0.0.1 00-00-00-01-00-02

permit arp-inspection host 20.0.0.1 00-00-00-02-00-03

deny arp-inspection host 10.0.0.1 any

deny arp-inspection host 20.0.0.1 any

permit arp-inspection any any

The above set of rules allows only 00-00-00-01-00-02 to be advertised as the MAC address for IP address 10.0.0.1. Similarly, MAC address 00-00-00-02-00-03 is bound to IP address 20.0.0.1. ARP packets advertising any other MAC addresses for 10.0.0.1 and 20.0.0.1 are dropped (achieved by the deny actions in lines 3 and 4). All other ARP packets are allowed to go through (achieved by the permit action in line 5).

ARP Traffic Inspection Configuration Guidelines

This section describes the guidelines for configuring ARP traffic inspection:

The ARP inspection clauses appear at the top of a VACL.

The maximum number of ARP inspection clauses that can be configured in a VACL is 32.

The maximum number of characters for an ACL containing ARP inspection clauses is 29 characters.

An ARP inspection ACE cannot be modified to become an IP ACE and vice versa.

An ARP inspection ACE cannot be inserted before an IP ACE and vice versa.

Do not use the generic deny/permit clauses with the ARP inspection clauses in the same VACL. The generic ARP deny/permit clauses are installed using the set security acl ip acl_name {deny | permit} arp command.

If the MSFC is the gateway for the hosts, you must allow the MSFC IP/MAC binding. We recommend that the gateway IP/MAC binding be allowed when using the ARP inspection feature.

ARP inspection uses the existing logging facility for VACLs. After a packet traverses the ARP inspection rules, if the result is a "permit," the packet is forwarded to the destination MAC address (or broadcast address). If the result is a "deny," the packet is dropped and sent to the VACL logging process if logging is enabled.

VACL logging uses the source MAC address and the following fields from the ARP header to define a logging flow: source IP address, source MAC address, and ARP opcode (request, reply).

You can limit the number of logged flows by using the set security acl log maxflow max_flows command. However, the set security acl log ratelimit max_rate command does not apply to ARP inspection logged flows.

RARP packets are not used to learn ARP entries on hosts and are harmless from an ARP corruption perspective. The PFC2 does not distinguish between ARP and RARP packets. An ACE that is used to redirect ARP packets to the CPU also redirects RARP packets. Global rate limiting is a rate limit for ARP and RARP packets combined. The ARP traffic inspection rules are not applied to RARP packets; the RARP packets are simply forwarded. A generic ARP deny clause also denies RARP packets. You can display the number of RARP packets that are forwarded by entering the show security acl arp-inspection statistics command.

Mapping VACLs with the ARP traffic inspection clauses to management VLANs (sco/sc1 interfaces) is not supported.

Even if a port is part of an EtherChannel, the drop and shutdown thresholds remain port based. The thresholds are not part of the match that is required for formation of an EtherChannel (after PAgP identifies matched EtherChannel links, it groups the ports into an EtherChannel).

Due to the way the hardware recognizes ARP packets, IP packets with source address 0.0.0.0, destination address 0.0.0.0, and the IP protocol ICMP, are also redirected to the ARP inspection task. Because these are invalid packets, they are dropped. The count of these packets is displayed as part of the show security acl arp-inspection statistics command.

If syslogs are generated for every packet that is dropped by the ARP traffic inspection task, the console is overwhelmed with messages. To avoid this situation, only 40 syslogs are allowed per minute.

This example shows you how to avoid a common configuration error. The following is a typical ARP-inspection ACL: 

------------------------------

set security acl ip my_arp

---------------------------------------------------

arp permit

1. permit arp-inspection host 10.6.62.86 00-b0-c2-3b-db-fd

2. deny arp-inspection host 10.6.62.86 any

3. permit arp-inspection any any

---------------------------

This ACL ensures that only MAC address 00-b0-c2-3b-db-fd is advertised as the MAC address for IP address 10.6.62.86. The problem with this ACL is that this will deny all IP packets because there is an implicit ip deny any any in an IP ACL.

Therefore, if you want all IP traffic to pass through, there should be an explicit permit ip any any at the end of the ACL as follows: 

--------------------

set security acl ip my_arp

---------------------------------------------------

arp permit

1. permit arp-inspection host 10.6.62.86 00-b0-c2-3b-db-fd

2. deny arp-inspection host 10.6.62.86 any

3. permit arp-inspection any any

4. permit ip any any

----------------------

This example shows a typical configuration using ARP traffic inspection. The following ACL is used to protect the two IP addresses that are specified and will not do ARP inspection with any MAC addresses other than those specified: 

set security acl ip ACL_VLAN951 permit arp-inspection host 132.216.251.129 
00-d0-b7-11-13-14

set security acl ip ACL_VLAN951 deny arp-inspection host 132.216.251.129 any log

set security acl ip ACL_VLAN951 permit arp-inspection host 132.216.251.250 
00-d0-00-ea-43-fc

set security acl ip ACL_VLAN951 deny arp-inspection host 132.216.251.250 any log

set security acl ip ACL_VLAN951 permit arp-inspection any any 

set security acl ip ACL_VLAN951 permit ip any any

ARP Traffic Inspection Configuration Procedures

These sections describe the ARP traffic inspection configuration procedures:

Configuring ARP Inspection

Permitting or Denying ARP Packets Advertising a Specific IP-Address-to-MAC-Address Binding

Permitting or Denying ARP Packets Advertising a Particular IP Address Binding

Permitting or Denying All ARP Packets

Permitting or Denying ARP Packets that Advertise Bindings for IP Addresses on a Particular Network

Dropping Packets Without Matching MAC Addresses

Dropping Packets with Invalid MAC or IP Addresses

Displaying ARP Inspection Statistics

Clearing ARP Inspection Statistics

Configuring Rate Limiting for ARP Inspection

Configuring Rate Limiting on a Global Basis

Configuring Rate Limiting on a Per-Port Basis

Configuring the Errdisable-Timeout Option for ARP Inspection

Configuring Logging for ARP Inspection

Configuring Logging for ARP Inspection

Permitting or Denying ARP Packets Advertising a Specific IP-Address-to-MAC-Address Binding

To permit or deny ARP packets that advertise a binding for a specific IP address and MAC address, perform this task in privileged mode:

 
Task
Command

Step 1 

Permit or deny ARP packets that advertise a binding for a specific IP address and MAC address.

set security acl ip acl_name {permit | deny} arp-inspection host ip_address mac_address

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

This example shows how to permit ARP packets that advertise a binding of IP address 172.20.52.54 to MAC address 00-01-64-61-39-c2:

Console> (enable) set security acl ip ACL1 permit arp-inspection host 172.20.52.54 00-01-64-61-39-c2

Operation successful.
Console> (enable) commit security acl ACL1

Console> (enable) ACL commit in progress.

ACL 'ACL1' successfully committed.

Permitting or Denying ARP Packets Advertising a Particular IP Address Binding

To permit or deny ARP packets that advertise a binding for the specified IP address, perform this task in privileged mode:

 
Task
Command

Step 1 

Permit or deny ARP packets that advertise a binding for the specified IP address.

set security acl ip acl_name {permit | deny} arp-inspection host ip_address any

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

This example shows how to permit ARP packets that advertise a binding of IP address 172.20.52.19: 

Console> (enable) set security acl ip ACL2 permit arp-inspection host 172.20.52.19 any

Operation successful.

Console> (enable) commit security acl ACL2

Console> (enable) ACL commit in progress.

ACL 'ACL2' successfully committed.

Permitting or Denying All ARP Packets

To permit or deny all ARP packets, perform this task in privileged mode:

 
Task
Command

Step 1 

Permit or deny all ARP packets.

set security acl ip acl_name {permit | deny} arp-inspection any any

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

This example shows how to permit all ARP packets: 

Console> (enable) set security acl ip ACL3 permit arp-inspection any any

Operation successful.

Console> (enable) commit security acl ACL3

Console> (enable) ACL commit in progress.

ACL 'ACL3' successfully committed.

Permitting or Denying ARP Packets that Advertise Bindings for IP Addresses on a Particular Network

To permit or deny ARP packets that advertise bindings for IP addresses on a particular network, perform this task in privileged mode:

Note The ip_mask is a reverse mask. The "0" bit means "match" and the "1" bit means "ignore." For example, 10.3.5.6 and 0.0.0.255 are equivalent to 10.3.5/24.

 
Task
Command

Step 1 

Permit or deny ARP packets that advertise a binding for IP addresses on a particular network.

set security acl ip acl_name {permit | deny} arp-inspection ip_address ip_mask any

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

This example shows how to permit ARP packets that advertise bindings for IP addresses on the 10.3.5.0/24 subnet: 

Console> (enable) set security acl ip ACL4 permit arp-inspection 10.3.5.6 0.0.0.255 any

Operation successful.

Console> (enable) commit security acl ACL4

Console> (enable) ACL commit in progress.

ACL 'ACL4' successfully committed.

Dropping Packets Without Matching MAC Addresses

To drop packets where the source Ethernet MAC address (in the Ethernet header) is not the same as the source MAC address in the ARP header, perform this task in privileged mode. If you do not specify the drop option, the packet is not dropped but a syslog message is displayed. Use the log option to send the packets to the VACL logging facility.

Tip In most cases, using the match-mac clause to prevent ARP spoofing does not negate the need to create a specific ARP-inspection ACL for each VLAN. The match-mac clause does not catch the more sophisticated ARP table attacks. Most ARP spoofers change the source MAC address in the Ethernet header to match the address in the ARP payload.

 
Task
Command

Step 1 

Identify or drop packets without matching MAC addresses.

set security acl arp-inspection match-mac {enable [drop [log]] | disable}

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

Step 3 

Display the configuration.

show security acl arp-inspection config

This example shows how to drop packets where the source Ethernet MAC address is not the same as the source MAC address in the ARP header: 

Console> (enable) set security acl arp-inspection match-mac enable drop

ARP Inspection match-mac feature enabled with drop option.

Console> (enable) 


Console> (enable) show security acl arp-inspection config

Match-mac feature is enabled with drop option.

Console> (enable)

Dropping Packets with Invalid MAC or IP Addresses

The following MAC addresses are invalid:

00-00-00-00-00-00

Multicast MAC addresses (the 48th bit is set)

ff-ff-ff-ff-ff-ff (this is a special case multicast MAC address)

The following IP addresses are invalid:

0.0.0.0

255.255.255.255

Class D (multicast) IP addresses

To drop packets with invalid MAC or IP addresses, perform this task in privileged mode (if you do not specify the drop option, the packet is not dropped but a syslog message is displayed):

 
Task
Command

Step 1 

Drop packets with invalid MAC or IP addresses.

set security acl arp-inspection address-validation {enable [drop [log]] | disable}

Step 2 

Commit the VACL.

commit security acl {acl_name | all | adjacency}

Step 3 

Display the configuration.

show security acl arp-inspection config

This example shows how to drop packets with invalid MAC or IP addresses: 

Console> (enable) set security acl arp-inspection address-validation enable drop

ARP Inspection address-validation feature enabled with drop option.

Console> (enable) 


Console> (enable) show security acl arp-inspection config

Address-validation feature is enabled with drop option.

Console> (enable)

Displaying ARP Inspection Statistics

To display the number of packets that are permitted and denied by the ARP inspection task, perform this task in normal mode:

Task
Command

Display the number of packets that are permitted and denied by the ARP inspection task.

show security acl arp-inspection statistics [acl_name]


Note You can use the show security acl commands to display certain ARP inspection configuration information.

This example shows how to display the number of packets that are permitted and denied by the ARP inspection task: 

Console> (enable) show security acl arp-inspection statistics

ARP Inspection statistics

Packets forwarded = 0

Packets dropped = 0

RARP packets (forwarded) = 0

Packets for which Match-mac failed = 0

Packets for which Address Validation failed = 0

IP packets dropped = 0

Console> (enable)

Clearing ARP Inspection Statistics

To clear ARP inspection statistics, perform this task in privileged mode:

Task
Command

Clear ARP inspection statistics.

clear security acl arp-inspection statistics [acl_name]


Without the optional argument, entering the command clears the ARP inspection global statistics counters and ARP inspection statistics counters for all the ACLs. If you supply the optional acl_name argument, only the ARP inspection statistics for that particular ACL are cleared.

Note You can use the clear security acl commands to clear ARP inspection configuration settings.

Configuring Rate Limiting on a Global Basis

You can rate limit the number of ARP inspection packets that are sent to the supervisor engine CPU on a global basis. By default, ARP inspection traffic is rate limited to 500 packets per second. The minimum value is 0, and the maximum value is 1000 packets per second.

Note The rate limiting option might be shared by multiple features. To display the features that share rate limiting, enter the show security acl feature ratelimit command.

To rate limit the number of ARP inspection packets that are sent to the CPU on a global basis, perform this task in privileged mode:

 
Task
Command

Step 1 

Rate limit the number of ARP inspection packets that are sent to the supervisor engine CPU on a global basis.

set security acl feature ratelimit rate

Step 2 

Display the global rate limit value.

show security acl feature ratelimit

This example shows how to rate limit the number of ARP inspection packets that are sent to the CPU to 1000: 

Console> (enable) set security acl feature ratelimit 1000

Dot1x DHCP and ARP Inspection global rate limit set to 1000 pps.

Console> (enable) 


Console> (enable) show security acl feature ratelimit

Rate limit value in packets per second = 1000

Protocols set for rate limiting = Dot1x DHCP, ARP Inspection 

Console> (enable)

Configuring Rate Limiting on a Per-Port Basis

You can rate limit the number of ARP inspection packets that are sent to the supervisor engine CPU on a per-port basis. If the rate exceeds the drop-threshold, the excess packets are dropped (and counted toward the shutdown-threshold limit). If the rate exceeds the shutdown-threshold, the port that is specified by mod/port is shutdown. By default, both threshold values are 0 (no per-port rate limiting is applied). The maximum value for both thresholds is 1000 packets-per second (pps).

To rate limit the number of ARP inspection packets that are sent to the CPU on a per-port basis, perform this task in privileged mode:

 
Task
Command

Step 1 

Rate limit the number of ARP inspection packets that are sent to the supervisor engine CPU on a per-port basis.

set port arp-inspection mod/port drop-threshold packets_per_second shutdown-threshold packets_per_second

set port arp-inspection mod/port drop-threshold packets_per_second

set port arp-inspection mod/port shutdown-threshold packets_per_second

Step 2 

Display the drop and shutdown thresholds.

show port arp-inspection {[mod/port] | [mod]}

This example shows how to rate limit the number of ARP inspection packets that are sent to the CPU on a per-port basis. The drop-threshold is set to 700 and the shutdown-threshold is set to 800 for port 3/1: 

Console> (enable) set port arp-inspection 3/1 drop-threshold 700 shutdown-threshold 800

Drop Threshold=700, Shutdown Threshold=800 set on port 3/1.

Console> (enable) 


Console> (enable) show port arp-inspection 3/1

Port                      Drop Threshold Shutdown Threshold

------------------------  -------------- ------------------

 3/1                                 700                800

Console> (enable)

Configuring the Errdisable-Timeout Option for ARP Inspection

You configure the errdisable-timeout option for ARP inspection by using the set errdisable-timeout {enable | disable} arp-inspection command. For detailed information on the errdisable-timeout option, see the "Configuring a Timeout Period for Ports in errdisable State" section on page 4-11.

Configuring Logging for ARP Inspection

To configure the logging option to log ARP inspection packets that are dropped, perform this task in privileged mode:

Task
Command

Log ARP inspection packets that are dropped.

set security acl ip acl_name deny arp-inspection {host ip_address {any | mac_address} | ip_address ip_mask any | any any} [log]


For detailed information on the VACL logging option, see the "Configuring VACL Logging" section. This section also provides information on limiting the number of logged flows using the set security acl log maxflow max_number command.

To display the logged ARP inspection packets, perform this task in normal mode:

Task
Command

Display the logged ARP inspection packets.

show security acl log flow arp [host ip_address [vlan vlan]]


If you specify the optional host IP address, only ARP packets that advertise a binding for the specified host IP address are displayed. If you specify the optional vlan vlan argument, the search is restricted to the specified VLAN.

Configuring ACLs on Private VLANs

Private VLANs allow you to split a primary VLAN into sub-VLANs (secondary VLANs) that can be either community VLANs or isolated VLANs. In releases prior to software release 6.1(1), you could configure ACLs on a primary VLAN only and the ACL would then be applied to all the secondary VLANs. In software release 6.1(1) and later releases, ACLs can be applied as follows:

You can map VACLs to secondary VLANs or primary VLANs.

Cisco IOS ACLs that are mapped to a primary VLAN get mapped to the associated secondary VLANs.

You cannot map Cisco IOS ACLs to secondary VLANs.

You cannot map dynamic ACEs to a private VLAN.

You can map QoS ACLs to secondary VLANs or primary VLANs.

If you map a VACL to a primary VLAN, it filters the traffic from the router to the host and if you map a VACL to a secondary VLAN, it filters the traffic from the host to the router.

Note With software release 6.2(1) and later releases, you can use two-way community VLANs to perform an inverse mapping from the primary VLAN to the secondary VLAN when the traffic crosses the boundary of a private VLAN through a promiscuous port. Both outbound and inbound traffic can be carried on the same VLAN allowing VLAN-based VACLs to be applied in both directions on a per-community (per customer) basis.

Note For additional information on private VLANs, see the "Configuring Private VLANs on the Switch" section on page 11-14.

Capturing Traffic Flows

See the "Capturing Traffic Flows on Specified Ports" section for complete configuration details.

Unsupported Features

This section lists the ACL-related features that are not supported or have limited support on the Catalyst 6500 series switches:

Non-IP version 4/non-IPX Cisco IOS ACLs—The following types of Cisco IOS security ACLs cannot be enforced on the switch in the hardware; the MSFC has to process the ACL in the software and this significantly degrades system performance:

Bridge-group ACLs

IP accounting

Inbound and outbound rate limiting

Standard IPX with source node number

IPX extended access lists that specify a source node number or socket numbers are not enforced in the hardware

Standard XNS access list

Extended XNS access list

DECnet access list

Extended MAC address access list

Protocol type-code access list

IP packets with a header length of less than five will not be access controlled.

Non full-flow IPX VACL—IPX VACL is based on a flow that is specified by a source/destination network number, packet type, and destination node number only. The source node number and socket number are not supported when specifying the IPX flow.

Configuring VACLs on the Switch

This section describes how to configure VACLs. Prior to performing any configuration tasks, see the "VACL Configuration Guidelines" section.

These sections provide the guidelines and a summary for configuring VACLs:

VACL Configuration Guidelines

VACL Configuration Summary

Configuring VACLs from the CLI

VACL Configuration Guidelines

This section describes the guidelines for configuring VACLs:

Caution All changes to ACLs are stored temporarily in an edit buffer. You must enter the commit command to commit all ACEs to NVRAM. Committed ACLs with no ACEs are deleted. We recommend that you enter ACEs in batches and enter the commit command to save all the changes to NVRAM.

Note You can configure Cisco IOS ACLs and VACLs from Flash memory instead of NVRAM. See the "Configuring and Storing VACLs and QoS ACLs in Flash Memory" section for detailed information.

See the "Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface Guidelines" section.

See the "Using VACLs in your Network" section for configuration examples.

See the "Unsupported Features" section.

See the "Specifying the ACL-Merge Algorithm" section.

You must commit a VACL before you can map it to a VLAN. There are no default VACLs and no default VACL-to-VLAN mappings.

If no Cisco IOS ACL is configured to deny traffic on a routed VLAN interface (input or output), and no VACL is configured, all traffic is permitted.

The order of ACEs in an ACL is important. A packet that comes into the switch is applied against the first ACE in the ACL. If there is no match, the packet is applied against the next ACE in the list. If no ACEs match, the packet is denied (dropped).

Always enter the show security acl info acl_name editbuffer command to see the current list of ACEs before making any changes to the edit buffer.

In systems with redundant MSFCs, the ACL configurations for Cisco IOS ACLs and VACLs must be the same on both MSFCs.

The system might incorrectly calculate the maximum number of ACLs in the system if an ACL is deleted but not committed.

The show security acl resource-usage and show qos acl resource-usage commands might not show 100 percent usage even if there is no space in the hardware to store more ACLs. This situation occurs because some ACL space is reserved in hardware for the ACL manager to perform cleanup and mapping if necessary.

The system might take longer to boot if you configure a very large number of ACLs.

Note these guidelines for using the redirect option:

Redirected packets can only go out a port that supports the VLAN that the traffic is in.

The redirect option only involves taking packets and sending them out the redirect port; there is no routing involved.

If packets are coming in from many VLANs, the redirect port should have those VLANs in forwarding state. You might have to configure the redirect port as a trunk to allow multiple VLANs to go out of the port.

Put caches in promiscuous mode so they can receive traffic that is not routed.

Use the redirect option to do some basic VLAN-based load balancing by redirecting traffic to multiple ports. Each port transmits only those packets that belong to the VLANs that are forwarding on the port.

VACL Configuration Summary

To create a VACL and map it to a VLAN, perform these steps:

Step 1 Enter the set security acl ip command to create a VACL and add ACEs.

Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.

Step 3 Enter the set security acl map command to map the VACL to a VLAN.

Note An IP VACL is used in this description; you can configure IPX and non-IP
version 4/non-IPX VACLs using the same basic steps.

Note VACLs have an implicit deny feature at the end of the list; a packet is denied if it does not match any VACL ACE.

Configuring VACLs from the CLI

This section describes how to create and activate VACLs on the Catalyst 6500 series switches. These tasks are listed in the order that they should be performed.

This section describes the following tasks:

Specifying the ACL-Merge Algorithm

Creating an IP VACL and Adding ACEs

Creating an IPX VACL and Adding ACEs

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Committing ACLs

Mapping a VACL to a VLAN

Showing the Contents of a VACL

Showing VACL-to-VLAN Mapping

Clearing the Edit Buffer

Removing ACEs from Security ACLs

Clearing the Security ACL Map

Displaying VACL Management Information

Capturing Traffic Flows on Specified Ports

Configuring VACL Logging

Specifying the ACL-Merge Algorithm

Two ACL-merge algorithms are availablethe binary decision diagram (BDD) and the order dependent merge (ODM). ODM is the enhanced algorithm introduced in software release 7.1(1). The BDD algorithm is used in software releases prior to release 7.1(1). With ODM, after the merge, the resultant ACEs are order dependent. With BDD, after the merge, the resultant ACEs are order independent.

Note For examples of the ODM algorithm, see the "Estimating Merge Results with Supervisor Engine Software Releases 7.1(1) or Later Releases" section.

The default algorithm is ODM. If BDD is disabled, the merge algorithm can only be ODM. When BDD is enabled, you can choose either the BDD algorithm or the ODM algorithm. BDD must be enabled in order to change the ACL merge algorithm. Use the set aclmerge bdd command to enable or disable BDD. When you enable or disable BDD, the change takes effect when your system is restarted.

Caution Enabling BDD on a supervisor engine with 64-MB DRAM could cause memory to run low. To avoid this situation, upgrade the memory to 128 MB or disable BDD.

The ACL merge algorithm that you select is in effect for all new ACL merges. The ACLs already configured are not modified and use the ACL merge algorithm that was enabled when the ACLs were merged.

To enable or disable BDD, perform this task in privileged mode:

 
Task
Command

Step 1 

Enable or disable BDD.

set aclmerge bdd {enable | disable}

Step 2 

Display the current BDD status and whether BDD will be enabled or disabled at the next system restart.

show aclmerge {bdd | algo}

This example shows how to disable BDD: 

Console> (enable) set aclmerge bdd disable

Bdd will be disabled on system restart.

Console> (enable)

This example shows current BDD status and whether BDD will be enabled or disabled at the next system restart: 

Console> (enable) show aclmerge bdd

Bdd is not enabled.

On system restart bdd will be disabled.

Console> (enable)

To specifiy the ACL-merge algorithm, perform this task in privileged mode:

 
Task
Command

Step 1 

Specify the ACL-merge algorithm.

set aclmerge algo {bdd | odm}

Step 2 

Display the ACL-merge algorithm currently in use.

show aclmerge {bdd | algo}

This example shows how to specify the ODM algorithm: 

Console> (enable) set aclmerge algo odm

Acl merge algorithm set to odm.

Console> (enable)

This example shows the ACL-merge algorithm currently in use: 

Console> (enable) show aclmerge algo

Current acl merge algorithm is odm.

Console> (enable)

Creating an IP VACL and Adding ACEs

To create a new IP VACL and add ACEs, or to add ACEs to an existing IP VACL, perform these tasks in privileged mode:

Task
Command

If an IP protocol specification is not required, use the following syntax.

If an IP protocol is specified, use the following syntax.

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [capture]
[before editbuffer_index | modify editbuffer_index] [log1 ]

set security acl ip {acl_name} {permit | deny | redirect mod_num/
port_num} {protocol} {src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture] [before editbuffer_index | modify editbuffer_index] [log1]

1 The log keyword provides logging messages for denied IP VACLs only.


This example shows how to create an ACE for IPACL1 to allow traffic from source address 172.20.53.4: 

Console> (enable) set security acl ip IPACL1 permit host 172.20.53.4 0.0.0.0

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Note Because VACLs have an implicit deny feature at the end of the list, all other traffic is denied.

This example shows how to create an ACE for IPACL1 to allow traffic from all source addresses: 

Console> (enable) set security acl ip IPACL1 permit any

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPACL1 to block traffic from source address 171.3.8.2: 

Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2

IPACL1 editbuffer modified.  Use `commit' command to apply changes.

Console> (enable)

This example shows how to display the contents of the edit buffer: 

Console> (enable) show security acl info IPACL1 editbuffer

set security acl ip IPACL1

-----------------------------------------------------------------

1. permit ip host 172.20.53.4 any

2. permit ip any any

3. deny ip host 171.3.8.2 any

Console> (enable)

This example shows how to commit the ACEs to NVRAM: 

Console> (enable) commit security acl all

ACL commit in progress.

ACL IPACL1 is committed to hardware.

Console> (enable)

Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info IPACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

This example shows how to create an ACE for IPACL2 to block traffic from source address 172.20.3.2 and place this ACE before ACE number 2 in the VACL. Optionally, you can use the modify keyword to replace an existing ACE with a new ACE. Enter the show security acl info acl_name [editbuffer] command to see the current ACE listing that is stored in NVRAM (enter the editbuffer keyword to see edit buffer contents). 

Console> (enable) set security acl ip IPACL2 deny host 172.20.3.2 before 2 

IPACL2 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source address 1.2.3.4 with the destination address of 255.255.255.255. Note that the host can be used as an abbreviation for a source and source-wildcard of 0.0.0.0. This ACE also specifies the following:

precedence—IP precedence values that range between 0 for low priority and 7 for high priority.

tos—Type of service levels that range between 0 and 15.

Note The ToS is bits 3 through 6 of the IP ToS byte as defined by RFC-1349. The precedence is bits 0 through 2 as defined by RFC-791. 

Console> (enable) set security acl ip IPACL2 redirect 3/1 ip 1.2.3.4 0.0.0.255 host 
255.255.255.255 precedence 1 tos min-delay

IPACL2 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to display the contents of the edit buffer: 

Console> (enable) show security acl info IPACL2 editbuffer

set security acl ip IPACL2

-----------------------------------------------------------------

1. deny 172.20.3.2

2. redirect 1.2.3.4

Console> (enable)

Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM: 

Console> (enable) commit security acl all

ACL commit in progress.

ACL IPACL2 is committed to hardware.

Console> (enable)

Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info IPACL2 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Creating an IPX VACL and Adding ACEs

To create a new IPX VACL and add ACEs, or to add ACEs to an existing IPX VACL, perform this task in privileged mode:

Task
Command

Create a new IPX VACL and add ACEs, or add ACEs to an existing IPX VACL.

set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol} {src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]] [capture] [before editbuffer_index modify editbuffer_index]


This example shows how to create an ACE for IPXACL1 to block all traffic from source network 1234: 

Console> (enable) set security acl ipx IPXACL1 deny any 1234

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPXACL1 to block all traffic with destination address 1.A.3.4: 

Console> (enable) set security acl ipx IPXACL1 deny any any 1.A.3.4

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPXACL1 to redirect broadcast traffic to port 4/1 from source network 3456: 

Console> (enable) set security acl ipx IPXACL1 redirect 4/1 any 3456

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to display the contents of the edit buffer: 

Console> (enable) show security acl info IPXACL1 editbuffer

set security acl ipx IPXACL1

-----------------------------------------------------------------

1. deny any 1234

2. deny any any 1.A.3.4

3. redirect 4/1 any 3456

Console> (enable)

Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM: 

Console> (enable) commit security acl all

ACL commit in progress.

ACL IPXACL1 is committed to hardware.

Console> (enable)

Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.


This example shows how to create an ACE for IPXACL1 to allow all traffic from source network 1 and insert this ACE before ACE number 2: 

Console> (enable) set security acl ipx IPXACL1 permit any 1 before 2

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for IPXACL1 to allow traffic from all source addresses: 

Console> (enable) set security acl ipx IPXACL1 permit any any

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to display the contents of the edit buffer: 

Console> (enable) show security acl info IPXACL1 editbuffer

set security acl ipx IPXACL1

-----------------------------------------------------------------

1. deny any 1234

2. permit any 1

3. deny any any 1.A.3.4

4. redirect 4/1 any 3456

5. permit any any

ACL IPXACL1 Status: Not Committed

Console> (enable)

This example shows how to commit the ACEs to NVRAM: 

Console> (enable) commit security acl all

ACL commit in progress.

ACL IPXACL1 is committed to hardware.

Console> (enable)

Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info IPXACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs

Caution IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

To create a new non-IP version 4/non-IPX VACL and add ACEs, or to add ACEs to an existing non-IP version 4/non-IPX VACL, perform this task in privileged mode:

Task
Command

Create a new non-IP
version 4/non-IPX VACL and add ACEs, or add ACEs to an existing non-IP version 4/non-IPX VACL.

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


This example shows how to create an ACE for MACACL1 to block all traffic from 8-2-3-4-7-A: 

Console> (enable) set security acl mac MACACL1 deny host 8-2-3-4-7-A any

MACACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for MACACL1 to block all traffic to A-B-C-D-1-2: 

Console> (enable) set security acl mac MACACL1 deny any host A-B-C-D-1-2

MACACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to create an ACE for MACACL1 to allow traffic from all sources: 

Console> (enable) set security acl mac MACACL1 permit any any

MACACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to display the contents of the edit buffer: 

Console> (enable) show security acl info MACACL1 editbuffer

set security acl mac MACACL1

-----------------------------------------------------------------

1. deny 8-2-3-4-7-A any

2. deny any A-B-C-D-1-2

3. permit any any

Console> (enable)

Note For more information about the show security acl info command, see the "Showing the Contents of a VACL" section.

This example shows how to commit the ACEs to NVRAM: 

Console> (enable) commit security acl all

ACL commit in progress.

ACL MACACL1 is committed to hardware.

Console> (enable)

Note For more information about the commit security acl all command, see the "Committing ACLs" section.

Enter the show security acl info MACACL1 command to verify that the changes were committed. If this VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.

Committing ACLs

You can commit all ACLs or a specific ACL to NVRAM with the commit command. Any committed ACL with no ACEs will be deleted.

To commit an ACL to NVRAM, perform this task in privileged mode:

Task
Command

Commit an ACL to NVRAM.

commit security acl acl_name | all


This example shows how to commit a specific security ACL to NVRAM: 

Console> (enable) commit security acl IPACL2

ACL commit in progress.

ACL IPACL2 is committed to hardware.

Console> (enable)

Mapping a VACL to a VLAN

You can map a VACL to a VLAN with the set security acl map command. Note that there is no default ACL-to-VLAN mapping; all VACLs need to be mapped to a VLAN.

To map a VACL to a VLAN, perform this task in privileged mode:

Task
Command

Map a VACL to a VLAN.

set security acl map acl_name vlans


This example shows how to map IPACL1 to VLAN 10: 

Console> (enable) set security acl map IPACL1 10

ACL IPACL1 mapped to vlan 10

Console> (enable)

This example shows the output if you try to map an ACL that has not been committed: 

Console> (enable) set security acl map IPACL1 10

Commit ACL IPACL1 before mapping.

Console> (enable)

Showing the Contents of a VACL

You can display the contents of a VACL with the show security acl info command.

To show the contents of a VACL, perform this task in privileged mode:

Task
Command

Show the contents of a VACL.

show security acl info {acl_name | all} [editbuffer [editbuffer_index]]


This example shows how to show the contents of a VACL that has been saved in NVRAM: 

Console> (enable) show security acl info IPACL1 

set security acl ip IPACL1

------------------------------------------------------------------

1. deny A

2. deny ip B any

3. deny c

4. permit any

This example shows how to show the contents of a VACL that is still in the edit buffer: 

Console> (enable) show security acl info IPACL1 editbuffer

set security acl ip IPACL1

-----------------------------------------------------------------

1. deny A

2. deny ip B any

3. deny C

4. deny D

5. permit any

Console> (enable)

Showing VACL-to-VLAN Mapping

You can display VACL-to-VLAN mapping for a specified ACL or VLAN with the show security acl map command.

To show VACL-to-VLAN mapping, perform this task in privileged mode:

Task
Command

Show VACL-to-VLAN mapping.

show security acl map {acl_name | vlan | all}


This example shows how to show the mappings of a specific VACL: 

Console> (enable) show security acl map IPACL1

ACL IPACL1 is mapped to VLANs:

1

Console> (enable)

This example shows how to show the mappings of a specific VLAN: 

Console> (enable) show security acl map 1

VLAN 1 is mapped to IP ACL IPACL1.

VLAN 1 is mapped to IPX ACL IPXACL1.

VLAN 1 is mapped to MAC ACL MACACL1.

Console> (enable)

Clearing the Edit Buffer

You can clear changes made to the ACL edit buffer since its last save with the rollback command. The ACL is rolled back to its state at the last commit command.

To clear the ACL edit buffer, perform this task in privileged mode:

Task
Command

Clear the ACL edit buffer.

rollback security acl {acl_name | all | adjacency}


This example shows how to clear the edit buffer of a specific security ACL: 

Console> (enable) rollback security acl IPACL1

Editbuffer for `IPACL1' rolled back to last commit state.

Console> (enable)

Removing ACEs from Security ACLs

You can remove a specific ACE or all ACEs from an ACL with the clear security acl command. This command deletes the ACEs from the edit buffer.

To remove an ACE from a security ACL, perform this task in privileged mode:

Task
Command

Remove an ACE from a security ACL.

clear security acl all
clear security acl acl_name
clear security acl acl_name editbuffer_index


This example shows how to remove ACEs from all the ACLs: 

Console> (enable) clear security acl all

All editbuffers modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to remove a specific ACE from a specific ACL: 

Console> (enable) clear security acl IPACL1 2

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Clearing the Security ACL Map

You can remove a VACL-to-VLAN mapping with the clear security acl map command.

To clear the security ACL map, perform this task in privileged mode:

Task
Command

Clear the security ACL map.

clear security acl map all
clear security acl map acl_name
clear security acl map vlan
clear security acl map acl_name vlan


This example shows how to clear all VACL-to-VLAN mappings: 

Console> (enable) clear security acl map all

Map deletion in progress.


Successfully cleared mapping between ACL ip1 and VLAN 10.


Successfully cleared mapping between ACL ipx1 and VLAN 10.


.... display text omitted

Console> (enable)

This example shows how to clear the mapping for a specific VACL on a specific VLAN: 

Console> (enable) clear security acl map IPACL1 50

Map deletion in progress.


Successfully cleared mapping between ACL ipacl1 and VLAN 50.

Console> (enable)

Displaying VACL Management Information

You can display VACL management information with the show security acl resource-usage command.

To display VACL management information, perform this task in privileged mode:

Task
Command

Display VACL management information.

show security acl resource-usage


This example shows how to display VACL management information: 

Console> (enable) show security acl resource-usage

ACL resource usage:

ACL storage (mask/value): 0.29%/0.10%

ACL to switch interface mapping table: 0.39%

ACL layer 4 port operators: 0.0%

Console (enable)

Capturing Traffic Flows on Specified Ports

You can use the capture option in the set security acl (ip, ipx, and mac) commands to specify that packets that match the specified flows are captured and transmitted out of capture ports. You can specify capture ports using the set security acl capture-ports mod/ports... command. When you use the capture option, the packets that match the specified flows are captured in parallel and transmitted out of the capture ports. Capture ports do not send out all the captured traffic; they send out only the traffic belonging to the VLANs of the captured port.

Configuration Guidelines

This section describes the guidelines for configuring capture ports:

The capture port cannot be part of an EtherChannel.

The capture port cannot be an ATM port.

The capture port must be in the spanning tree forwarding state for the VLAN.

You can specify any number of switch ports as capture ports. Capture ports are added to a capture port list, and the configuration is saved in NVRAM.

Only permit traffic is captured. If a packet is dropped due to an ACL, the packet cannot be captured.

Capture ports do not transmit out all captured traffic. They transmit only traffic belonging to the capture port VLAN. To capture traffic going to many VLANs, the capture port should be a trunk carrying the required VLANs.

For routed traffic, capture ports transmit packets only after they are Layer 3 switched; packets are transmitted out of a port only if the output VLAN of the Layer 3-switched flow is the same as the capture port VLAN. For example, assume that you have flows from VLAN 10 to VLAN 20, you add a VACL (on one of the VLANs) permitting these flows, and you specify a capture port. This traffic gets transmitted out of the capture port only if it belongs to VLAN 20 or if the port is a trunk carrying VLAN 20. If the capture port is in VLAN 10, it does not transmit any traffic. Whether a capture port transmits the traffic or not is independent of the VLAN on which you placed the VACL.

If you want to capture traffic from one VLAN going to many VLANs, the capture port has to be a trunk carrying all output VLANs.

For bridged traffic, because all the traffic remains in the same VLAN, ensure that the capture port is in the same VLAN as the bridged traffic.

To capture traffic, you can configure one ACL and map it to a group of VLANs or you can configure a number of ACLs and map each to one VLAN. Configure as many ACEs per ACL as necessary to capture the desired traffic.

To capture traffic flows, perform these steps:

Note An IP VACL is used in this description; you can configure IPX and non-IP
version 4/non-IPX VACLs using the same basic steps.

Step 1 Enter the set security acl ip command to create a VACL and add ACEs; include the capture option.

Step 2 Enter the commit command to commit the VACL and its associated ACEs to NVRAM.

Step 3 Enter the set security acl map command to map the VACL to a VLAN.

Step 4 Enter the set security acl capture-ports mod/ports... command to specify capture ports.

Configuration Examples

This example shows how to create an ACE for my_cap and specify that the allowed traffic is captured: 

Console> (enable) set security acl ip my_cap permit ip host 60.1.1.1 host 60.1.1.98 
capture 

my_cap editbuffer modified. Use 'commit' command to apply changes.

Console> (enable)

This example shows how to commit the my_cap ACL to NVRAM: 

Console> (enable) commit security acl my_cap

ACL commit in progress.


ACL my_cap successfully committed.

Console> (enable)

This example shows how to map my_cap to VLAN 10: 

Console> (enable) set security acl map my_cap 10

Mapping in progress.


VLAN 10 successfully mapped to ACL my_cap.

The old mapping with ACL captest was replaced with the new one.

Console> (enable)

This example shows how to specify capture ports: 

Console> (enable) set security acl capture-ports 1/1-2,2/1-2

Successfully set the following ports to capture ACL traffic:

1/1-2,2/1-2

Console> (enable)

This example shows how to display ports that have been specified as capture ports: 

Console> (enable) show security acl capture-ports 

ACL Capture Ports: 1/1-2,2/1-2

Console> (enable)

This example shows how to clear capture ports: 

Console> (enable) clear security acl capture-ports 1/1,2/1

Successfully cleared the following ports:

1/1,2/1

Console> (enable)

This example shows that ports 1/1 and 2/1 were cleared: 

Console> (enable) show security acl capture-ports 

ACL Capture Ports:1/2,2/2

Console> (enable)

Configuring VACL Logging

Note This feature is only available with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).

You can log messages about denied packets for the standard IP access list by entering the log keyword for deny VACLs. Any packet that matches the access list causes an informational logging message about the packet to be sent to the console. The level of messages that is logged to the console is controlled by the set logging level acl severity command.

The first packet that triggers the access list causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the flow pattern and the number of packets that are received in the past 5 minutes.

By default, system logging messages are sent to the console. You can configure the switch to send system logging messages to a syslog server. For information on configuring system message logging, see Chapter 27, "Configuring System Message Logging."

Configuration Guidelines

This section describes the guidelines for configuring VACL logging:

Log only deny traffic from IP VACLs.

You must set the logging level to 6 (information) or 7 (debugging).

To enable VACL logging, perform these steps:

Step 1 Enter the set logging level acl severity command to set the logging level to 6 (information) or 7 (debugging).

Step 2 (Optional) Enter the set security acl log maxflow max_number to allocate a new log table that is based on the maximum flow pattern number to store logged packet information. If successful, the new buffer replaces the old one and all flows in the old table are cleared. If either memory is not enough or the maximum number is over the limit, an error message is displayed and the command is dropped. Valid values are from 256 to 2048; the default value is 500.

Note If the maximum flow pattern is over the max_num limit, an error message is displayed and the command is dropped. Messages are not logged for these packets.

Step 3 (Optional) Enter the set security acl log ratelimit pps to set the redirect rate in pps (packet per second). If the configuration is over the range, the command is discarded and the range is displayed on the console. Valid values are from 500 to 5000; the default value is 2500.

Note If the redirect rate is over the pps range, the command is dropped and the range is displayed on the console. Messages are not logged for these packets.

Step 4 Enter the set security acl ip acl_name deny log command to create an IP VACL and enable logging.

Step 5 Enter the commit security acl acl_name command to commit the VACL to NVRAM.

Step 6 Enter the set security acl map acl_name vlan command to map the VACL to a VLAN.

Configuration Examples

This example shows how to set the logging level: 

Console> (enable) set logging level acl 6

System logging facility <acl> for this session set to severity 6(information)

This example shows how to allocate a new log table that is based on the maximum flow: 

Console> (enable) set security acl log maxflow 512

Set VACL Log table to 512 flow patterns.

This example shows how to set the redirect rate: 

Console> (enable) set security acl log ratelimit 1000

Set Redirect Rate to 1000 pps.

This example shows how to display the VACL log configuration: 

Console> (enable) show security acl log config

VACL LOG Configration

-------------------------------------------------------------

Max Flow Pattern    : 512

Redirect Rate (pps) : 1000

This example shows how to create an ACE for my_cap and specify that denied traffic be logged: 

Console> (enable) set security acl ip my_cap deny ip host 21.0.0.1 log 

my_cap editbuffer modified. Use 'commit' command to apply changes.

Console> (enable)

This example shows how to commit the my_cap ACL to NVRAM: 

Console> (enable) commit security acl my_cap

ACL commit in progress.


ACL my_cap successfully committed.

Console> (enable)

This example shows how to map the VACL to a VLAN: 

Console> (enable) set security acl map my_cap 1

Mapping in progress.

ACL my_cap successfully mapped to VLAN 1.

:

:

2000 Jul 19 01:14:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 1 packet

2000 Jul 19 01:19:06 %ACL-6-VACLLOG:VLAN 1(Port 2/1) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 7 packets

2000 Jul 19 01:25:06 %ACL-6-VACLLOG:VLAN 1(Port 2/2) denied ip tcp 21.0.0.1(2000) -> 
255.255.255.255(3000), 1 packets

This example shows how to display the flow information in the log table: 

Console> (enable) show security acl log flow ip any any

Total matched entry number = 1

Entry No. #1, IP Packet

----------------------------------------

Vlan Number            : 1

Mod/Port Number        : 2/1

Source IP address      : 21.0.0.1

Destination IP address : 255.255.255.255

TCP Source port        : 2000

TCP Destination port   : 3000

Received Packet Number : 10

This example shows how to clear the log table: 

Console> (enable) clear security acl log flow

Log table is cleared.

Console> (enable)

Configuring and Storing VACLs and QoS ACLs in Flash Memory

This section describes how to configure and store VACLs and QoS ACLs in Flash memory instead of NVRAM. Prior to this feature, all configuration information was stored in NVRAM. With the addition of QoS and security ACLs (VACLs), NVRAM could become full. In addition to limiting ACL configuration, filling up NVRAM can cause problems when you attempt to upgrade from one software version to another.

Note In most cases, the 512-KB NVRAM is sufficient for storing VACLs and QoS ACLs; therefore, all ACL configurations are stored in NVRAM by default.

This section describes the following tasks:

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

Manually Moving the VACL and QoS ACL Configuration to Flash Memory

Running with the VACL and QoS ACL Configuration in Flash Memory

Moving the VACL and QoS ACL Configuration Back to NVRAM

Redundancy Synchronization Support

Interacting with High Availability

Note See Chapter 23, "Modifying the Switch Boot Configuration," for additional information on using the commands described in this section.

Automatically Moving the VACL and QoS ACL Configuration to Flash Memory

Moving the VACL and QoS ACL configuration to Flash memory is done automatically only during system software upgrades and then only if there is not sufficient NVRAM for the upgrade. If there is not enough NVRAM to perform a software upgrade, the QoS ACL and VACL configuration is deleted from NVRAM and the ACL configuration is automatically moved to Flash memory. When this occurs, these syslog messages display: 

1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH:ACL configuration moved to bootflash:switchapp.cfg

1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration 
deleted from NVRAM.

The VACL and QoS ACL configuration has now been successfully moved to Flash memory. During this process, the system also does the following:

Sets the CONFIG_FILE variable to bootflash:switchapp.cfg

Enables the set boot config-register auto-config command recurring, append, and sync options

If an error occurs during the upgrade, these syslog messages display: 

1999 Sep 01 17:00:00 %SYS-1-CFG_FLASH_ERR:Failed to write ACL configuration to 
bootflash:switchapp.cfg

1999 Sep 01 17:00:00 %SYS-1-CFG_ACL_DEALLOC:NVRAM full. Qos/Security ACL configuration 
deleted from NVRAM.

If you receive these error messages, the VACL and QoS ACL configuration is stored in DRAM only. You need to make more space available in Flash memory and then save the configuration to Flash memory (as described in the "Moving the VACL and QoS ACL Configuration Back to NVRAM" section). Alternatively, you might try to delete unneeded VACLs and QoS ACLs and save the ACL configuration to NVRAM using the set config acl nvram command.

Manually Moving the VACL and QoS ACL Configuration to Flash Memory

If your VACL and QoS ACL configuration requirements require more memory than the 512-KB NVRAM, you can manually move the VACL and QoS ACL configuration to Flash memory as follows:

Step 1 Specify the VACL and QoS ACL auto-config file to use to configure the switch at startup. 

Console> (enable) set boot auto-config bootflash:switchapp.cfg

CONFIG_FILE variable = bootflash:switchapp.cfg

Console> (enable)

Step 2 Specify if the switch should retain (recurring keyword) or clear (non-recurring keyword) the contents of the CONFIG_FILE environment variable after a reset or power cycle. 

Console> (enable) set boot config-register auto-config recurring 

Configuration register is 0x12F

ignore-config: disabled

auto-config: recurring, overwrite, sync disabled

console baud: 9600

boot: image specified by the boot system commands

Console> (enable)

Step 3 Specify if the auto-config file should be used to overwrite the NVRAM configuration or be appended to what is currently in NVRAM. 

Console> (enable) set boot config-register auto-config append

Configuration register is 0x12F

ignore-config: disabled

auto-config: recurring, append, sync disabled

console baud: 9600

boot: image specified by the boot system commands

Console> (enable)

Step 4 Specify if synchronization should be enabled or disabled. With synchronization enabled, the auto-config file(s) synchronize automatically to the standby supervisor engine. 

Console> (enable) set boot config-register auto-config sync enable

Configuration register is 0x12F

ignore-config: disabled

auto-config: recurring, append, sync enabled

console baud: 9600

boot: image specified by the boot system commands

Console> (enable)

Step 5 Save committed VACL and QoS ACL configuration changes to the auto-config file. 

Console> (enable) copy acl-config bootflash:switchapp.cfg

Upload ACL configuration to bootflash:switchapp.cfg

2843644 bytes available on device bootflash, proceed (y/n) [n]? y

ACL configuration has been copied successfully.

Console> (enable)

Step 6 Delete the VACL and QoS ACL configuration from NVRAM. 

Console> (enable) clear config acl nvram

ACL configuration has been deleted from NVRAM.

Warning: Use the copy commands to save the ACL configuration to a file and

the 'set boot config-register auto-config' commands to configure the

auto-config feature.

Note VACL and QoS ACL mapping commands (set qos acl map and set security acl map) are also stored in the auto-config file. If the VACL and QoS ACL configuration is in Flash memory and you use the mapping commands, you need to enter the copy command to save the configuration to Flash memory.

At this point, the VACL and QoS ACL configuration is no longer in NVRAM, it is saved in the auto-config file bootflash:switchapp.cfg and will be appended to the NVRAM configuration at system startup.

After making any additional changes to the VACL and QoS ACL configuration and committing those changes, you must enter the copy acl-config bootflash:switchapp.cfg command to save the configuration to the auto-config file.

The auto-config file is synchronized automatically to the standby supervisor engine because synchronization was enabled.

If you cannot write the VACL and QoS ACL configuration to Flash memory, it is removed from NVRAM. At this point, the VACL and QoS ACL configuration exists in DRAM only. A system reset for any reason can cause the VACL and QoS ACL configuration to revert to the default.

Note If you cannot write the configuration to Flash memory, you must copy the configuration to a file, make additional room available in Flash memory, and then try to write the VACL and QoS ACL configuration to Flash memory.

At system startup, if the VACL and QoS ACL configuration location is set to Flash memory but either the CONFIG_FILE variable is not set or none of the files specified exist, the following syslog message displays: 

1999 Sep 01 17:00:00 %SYS-0-CFG_FLASH_ERR:ACL configuration set to flash but no ACL 
configuration file found.

Running with the VACL and QoS ACL Configuration in Flash Memory

After you move the VACL and QoS ACL configuration to Flash memory, the QoS ACLs and VACL commit operations are no longer written to NVRAM. You have to copy the configuration to the Flash file manually as follows:

If you use the set boot config-register auto-config append option, the configuration from the auto-config file is appended to the NVRAM configuration. You then only have to copy the VACL and QoS ACL configuration to this file after commit operations.

If you do not use the set boot config-register auto-config append option, the auto-config feature clears the configuration before executing the auto-config file at system startup. Any changes made in NVRAM are lost. You should always copy your entire configuration (not just the VACL and QoS ACL configuration) to the auto-config file when you want to save it.

Moving the VACL and QoS ACL Configuration Back to NVRAM

This example shows how to move the VACL and QoS ACL configuration back to NVRAM: 

Console> (enable) set config acl nvram

ACL configuration copied to NVRAM.

Console> (enable)


Console> (enable) clear boot auto-config

CONFIG_FILE variable =

Console> (enable)

Redundancy Synchronization Support

The set boot commands contain an option to synchronize the auto-config file automatically.

When you enable the auto-config option, if the VACL and QoS ACL configuration resides in Flash memory, the auto-config file on the active supervisor engine is automatically synchronized to the standby supervisor engine whenever a change is made. For example, deleting the auto-config file on the active supervisor engine causes the file to be deleted on the standby supervisor engine. Similarly, if you insert a new standby supervisor engine, the active supervisor engine automatically synchronizes the auto-config file.

Interacting with High Availability

After a supervisor engine switchover, the VACL and QoS ACL configuration on the standby supervisor engine is consistent with what was on the active supervisor engine, just as in the case where the VACL and QoS ACL configuration is saved in NVRAM. The only difference is that the data is stored in DRAM, but the functional behavior of a switchover does not change.

Configuring Policy-Based Forwarding

Policy-based forwarding (PBF) is an extension of VACL redirection supported by the PFC2. PBF is particularly beneficial in any flat Layer 2 network that is used for transparent bridging where a limited amount of inter-VLAN communication is required and in server farms or demilitarized zones (DMZs) where bridging devices (like server load-balancing appliances) are involved or where firewall load balancing is performed.

Note Software release 7.5(1) and later releases have PBF enhancements that simplify the process of setting and committing the security ACLs and adjacency information. See the "Enhancements to PBF Configuration" section for details.

Note PBF does not support IPX and multicast traffic.

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic; it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

Note PBF may require some configuration on attached hosts. When a router is not present in the network, ARP table entries have to be statically added on each host participating in PBF.

PBF is described in these sections:

Understanding How PBF Works

PBF Hardware and Software Requirements

Configuring PBF

PBF Configuration Example

Enhancements to PBF Configuration

Understanding How PBF Works

PBF configuration involves these tasks:

Enabling PBF and specifying a MAC address for the PFC2

Configuring VACLs for PBF

Configuring attached hosts for PBF

Note Because VACLs are applied to incoming and outgoing traffic, you must configure all VACLs carefully when using PBF. If the VACLs are not specific, a rewritten packet could hit a deny statement in the outgoing VACL and get dropped.

When a router is not present in the network, you need to specify static ARP entries on participating hosts.

PBF Hardware and Software Requirements

PBF hardware and software requirements are as follows:

PBF requires Supervisor Engine 2 with the PFC2 (WS-X6K-S2-PFC2).

PBF is not supported with an operating (booted) Multilayer Switch Feature Card 2 (MSFC2) in the Catalyst 6500 series switch that is being used for PBF.

If you try to configure PBF with an MSFC2 present and booted, the system responds with a message indicating the feature is not supported with an MSFC2.

If an MSFC2 is present but has not booted, you can configure PBF.

PBF requires supervisor engine software release 6.3(1) or later releases.

Configuring PBF

This section describes the guidelines and the configuration examples for PBF. The configuration examples use the example configuration shown in Figure 16-8. The Catalyst 6500 series switch redirects all the traffic coming from Host A on VLAN 10 to Host B on VLAN 11 and redirects traffic from Host B to Host A. This section contains the following example procedures:

Enabling PBF and Specifying a MAC Address for the PFC2

Configuring VACLs for PBF

Displaying PBF Information

Clearing Entries in PBF VACLs

Rolling Back Adjacency Table Entries in the Edit Buffer

Configuring Hosts for PBF

Figure 16-8 Policy-Based Forwarding

Enabling PBF and Specifying a MAC Address for the PFC2

Note The MAC address can be a default or user-specified MAC address. The default MAC address is taken from a MAC address PROM on the Catalyst 6500 series switch chassis. When specifying a MAC address using the set pbf mac command, ensure that the MAC address is unique and not already being used on any interfaces.

We recommend that you use the default MAC address that is provided by the MAC address PROM. When you specify your own MAC address using the set pbf mac command, if the MAC address is a duplicate of a MAC address already in use, packets might get dropped.

To display the PBF status and the MAC address, perform this task in privileged mode:

Task
Command

Display the PBF status and the MAC address.

show pbf


To enable PBF, perform one of these tasks in privileged mode:

Task
Command

Enable PBF with a default MAC address.

set pbf

Enable PBF with a specific MAC address.

set pbf [mac mac_address]


This example shows how to check the PBF status and the MAC address, enable PBF with a default MAC address, and verify the change: 

Console> (enable) show pbf

Pbf status    Mac address

-----------   ------------------

not set       00-00-00-00-00-00

Console> (enable)

Console> (enable) set pbf

PBF committed successfully.

Operation successful.

Console> (enable)

Console> (enable) show pbf

Pbf status    Mac address

-----------   ------------------

ok            00-01-64-61-39-c2

Console> (enable)

This example shows how to enable PBF with a specific MAC address: 

Console> (enable) set pbf mac 00-11-11-11-11-11

PBF committed successfully.

Operation successful.

Console> (enable)


Console> (enable) show pbf

Pbf status    Mac address

-----------   ------------------

ok            00-11-11-11-11-11

Console> (enable)

To disable PBF and clear the PBF MAC address, perform this task in privileged mode:

Task
Command

Disable PBF and clear the PBF MAC address.

clear pbf


This example shows how to clear the PBF MAC address: 

Console> (enable) clear pbf

PBF cleared.

Console> (enable) 


Console> (enable) show pbf

Pbf status    Mac address

-----------   ------------------

not set       00-00-00-00-00-00

Console> (enable)

Configuring VACLs for PBF

Note Enter the set security acl adjacency command to specify the rewrite information in the adjacency table that causes the packet header to be rewritten (destination VLAN and source and destination MAC addresses) and forwarded to the destination VLAN.

The source MAC address is optional. If you do not specify the source MAC address, the system defaults to the PBF MAC address.

Note You can configure a maximum of 256 adjacency table entries for a VLAN. The maximum number of adjacency table entries is 1023.

Note To enable jumbo frame forwarding using PBF, enter the mtu keyword in the set security acl adjacency command.

1. Specify the adjacency table entry.

2. Specify the redirect ACE in the PBF VACL that is using the adjacency table entry.

3. Commit the adjacency table entry.

4. Commit the PBF VACL.

5. Map the PBF VACL to a single VLAN or multiple VLANs.

Note You can combine steps 3 and 4 by entering the commit security acl all command.

Note The same adjacency table entry can be used by more than one redirect ACE.

To specify an adjacency table entry for the PFC2, perform this task in privileged mode:

Task
Command

Specify an adjacency table entry for the PFC2.

set security acl adjacency adjacency_name dest_vlan dest_mac [[source_mac] | [source_mac mtu mtu_size] | [ mtu mtu_size]]


This example shows how to specify the adjacency table entry: 

Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B 

ADJ1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable)

This example shows how to create the PBF VACL for VLAN 10 (shown in Figure 16-8): 

Console> (enable) set security acl adjacency ADJ1 11 00-00-00-00-00-0B

ADJ1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) set security acl ip IPACL1 redirect ADJ1 ip host 10.0.0.1 host 11.0.0.1

IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) set security acl ip IPACL1 permit any

IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) commit security acl adjacency

Commit operation in progress.


Adjacency successfully committed.

Console> (enable) commit security acl IPACL1

ACL commit in progress.


ACL 'IPACL1' successfully committed. 

Console> (enable) set security acl map IPACL1 10

Mapping in progress.


ACL IPACL1 successfully mapped to VLAN 10.

Console> (enable)

This example shows how to create the PBF VACL for VLAN 11 (see Figure 16-8): 

Console> (enable) set security acl adjacency ADJ2 10 00-00-00-00-00-0A

ADJ2 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) set security acl ip IPACL2 redirect ADJ2 ip host 11.0.0.1 host 10.0.0.1

IPACL2 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) set security acl ip IPACL2 permit any

IPACL2 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) commit security acl adjacency

Commit operation in progress.


Adjacency successfully committed.

Console> (enable) commit security acl IPACL2 

ACL commit in progress.


ACL 'IPACL2' successfully committed. 

Console> (enable) set security acl map IPACL2 11

Mapping in progress.


ACL IPACL2 successfully mapped to VLAN 11. 

Console> (enable)

Displaying PBF Information

This section describes how to display PBF-related information.

To display adjacency table entries, perform these tasks in normal mode:

Task
Command

Display the adjacency table entries.

show security acl info [acl_name | adjacency | all] [editbuffer [editbuffer_index]]

Display the PBF adjacency information for all adjacency table entries or a specific adjacency table entry.

show pbf adjacency [adj name]

Display the PBF statistics for all adjacency table entries or a specific adjacency table entry.

show pbf statistics [adj name]

Display the adjacency-to-VACL mappings for all adjacency table entries or a specific adjacency table entry.

show pbf map [adj name]


This example shows how to display the adjacency table entries: 

Console> show security acl info adjacency

set security acl adjacency ADJ1

---------------------------------------------------

1. 11 00-00-00-00-00-0b


set security acl adjacency ADJ2

---------------------------------------------------


1. 10 00-00-00-00-00-0a 

Console> show pbf adjacency

Index    DstVlan   DstMac             SrcMac             Name

------------------------------------------------------------------

1        11      00-00-00-00-00-0a  00-00-00-00-00-0b     ADJ1

2        10      00-00-00-00-00-0a  00-00-00-00-00-0b     ADJ2

Console> show pbf statistics

Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name

-------------------------------------------------------------------------

1        11      00-00-00-00-00-0a  00-00-00-00-00-0b  0x00000000    ADJ1

2        10      00-00-00-00-00-0a  00-00-00-00-00-0b  0x00000000    ADJ2

Console> show pbf map

Adjacency            ACL

------------------  --------------------

ADJ1                IPACL1


ADJ2                IPACL2

Console> (enable)

Clearing Entries in PBF VACLs

You cannot clear the adjacency table entry before the redirect ACE. You should clear the redirect ACE and the adjacency table entry in PBF VACLs in the following order:

1. Clear the redirect ACE.

2. Commit the PBF VACL.

3. Clear the adjacency table entry.

4. Commit the adjacency table entry.

To clear a PBF adjacency table entry, perform this task in privileged mode:

Task
Command

Clear a PBF adjacency table entry.

clear security acl adjacency adj name


This example shows how to clear a PBF adjacency table entry: 

Console> (enable) clear security acl adjacency ADJ1

Adj is in use by a VACL, clear the VACL first then clear adj.

Console> (enable) clear security acl IPACL1

IPACL1 editbuffer modified. Use 'commit' command to save changes.

Console> (enable) commit security acl IPACL1

ACL commit in progress.


ACL 'IPACL1' successfully deleted.

Console> (enable) clear security acl adjacency ADJ1

ADJ1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable) commit security acl adjacency

Console> (enable) Adjacency committed successfully

Commit operation in progress.


Console> (enable)

Rolling Back Adjacency Table Entries in the Edit Buffer

You can clear adjacency table entries in the edit buffer that were made prior to the last commit by using the rollback command. The adjacency table entries are rolled back to their state at the last commit.

To roll back the adjacency table entries in the edit buffer, perform this task in privileged mode:

Task
Command

Roll back the adjacency table entries in the edit buffer.

rollback security acl {acl_name | all | adjacency}


This example shows how to roll back the adjacency table entries in the edit buffer: 

Console> (enable) rollback security acl adjacency

Editbuffer for adjacency info rolled back to last commit state.

Console> (enable)

Configuring Hosts for PBF

This section describes the host configuration procedures for the following platforms and operating systems:

Linux

Sun Workstation

MS-Windows/NT/2000 Hosts

Note When a router is not present in the network, you need to specify the static ARP entries on the participating hosts. The host's ARP table maps the IP address of the host device to the MAC address of the PFC2.

Note The IP addresses in the following examples are the IP addresses used in Figure 16-8. These IP addresses were randomly selected; make sure that the IP addresses you use in your network configuration are unique.

Linux

These examples show how to configure the ARP table for hosts running the Linux operating system.

This example shows how to configure Host A: 

arp -s 11.0.0.1 00:11:11:11:11:11 -i eth0

route add 11.0.0.1 eth0


arp -s 10.0.0.1 00:11:11:11:11:11 -i eth1

route add 10.0.0.1 eth1

Sun Workstation

When using PBF to enable forwarding between two VLANs with Sun Workstation end hosts, note that there are limitations you must take into account when configuring the hosts:

PBF Limitations

PBF does not support ARP; you must set a static ARP entry on each Sun Workstation that participates in PBF. Each static ARP entry must point to the PBF MAC address that is mapped to the destination host.

You must also configure the Sun Workstation to have a gateway. If the Sun Workstation needs to communicate to a different network, you must define the host routes for all networks that go through PBF, and if required, you must define a default gateway.

For example, if host 10.0.0.1 on VLAN 40 needs to communicate with host 11.0.0.1 on VLAN 50, and assuming the PBF MAC address is 00-11-11-11-11-11, the static ARP entry would be as follows: 

arp -s 11.0.0.1 00:11:11:11:11:11

where 00-11-11-11-11-11 is the PBF MAC address, and 11.0.0.1 is the IP address of the destination host.

Sun Workstation Limitations

Sun Workstations do not allow you to set a static ARP entry if the destination is part of a different network (11.x.x.x in this example). This is a limitation of ARP in all Sun Workstations. To overcome this problem, you need to define a dummy gateway, which is a host route, and set a static ARP entry pointing to the PBF MAC address that is mapped to the destination host.

Using the example above, you need to first define a dummy static ARP entry for the gateway. The IP address of the gateway is one of the host addresses within that network as follows: 

(A)	Kubera# arp -s 10.0.0.2  00:11:11:11:11:11

(B)	Kubera# route add host  11.0.0.1 10.0.0.2

You need to set only one dummy ARP entry for PBF-related traffic and the host routes for each destination host.

If the number of hosts increase, you need to set the host route entries for each destination host. You can set up a startup file in /etc/rc2.d that has host route entries for each destination host. Setting up this file prevents you from having to key in all the host route entries after the Sun Workstation is reset or rebooted.

Entries in the file should use this form: 

Route add host <destination Host IP Address> <dummy gateway IP Address>

You need to use the file that contains the host route entries as one of the startup scripts. You can create the file in a directory that has full permissions for the root/superuser, set a soft link pointing to that file in /etc/rc2.d, or create the file in the /etc/rc2.d directory itself.

MS-Windows/NT/2000 Hosts

Similar to the Sun Workstations setup, you must also set the static ARP entries on Windows-based PCs. For Windows-based PCs, you do not need to set up any dummy gateways for switching between VLANs with PBF.

This example shows how to configure the static ARP entries in Windows-based platforms: 

C:\> arp -s 11.0.0.1 00-11-11-11-11-11

In this example, 00-11-11-11-11-11 is the PBF MAC address and 11.0.0.1 is the IP address of the destination host.

If you need to configure more hosts, you can create a batch file with ARP entries to each destination host and specify that Windows use this file at startup.

PBF Configuration Example

This section provides the example configurations to enable PBF between hosts on VLAN 1 and hosts on VLAN 2 (see Figure 16-9).

Figure 16-9 Policy-Based Forwarding Configuration Example

This example shows the switch configuration file that was created to enable PBF between the hosts on VLAN 1 and VLAN 2. Only the first four hosts from each VLAN are shown in the example (44.0.0.1 through 44.0.0.4 and 43.0.0.1 through 43.0.0.4). 

#security ACLs

clear security acl all

#adj set

set security acl adjacency a_1 2 00-0a-0a-0a-0a-0a 

set security acl adjacency a_2 2 00-0a-0a-0a-0a-0b 

set security acl adjacency a_3 2 00-0a-0a-0a-0a-0c 

set security acl adjacency a_4 2 00-0a-0a-0a-0a-0d 

set security acl adjacency b_1 1 00-20-20-20-20-20 

set security acl adjacency b_2 1 00-20-20-20-20-21 

set security acl adjacency b_3 1 00-20-20-20-20-22 

set security acl adjacency b_4 1 00-20-20-20-20-23 

#ip1

set security acl ip ip1 permit arp 

set security acl ip ip1 redirect  a_1  ip host 44.0.0.1 host 43.0.0.1 

set security acl ip ip1 redirect  a_2  ip host 44.0.0.2 host 43.0.0.2 

set security acl ip ip1 redirect  a_3  ip host 44.0.0.3 host 43.0.0.3 

set security acl ip ip1 redirect  a_4  ip host 44.0.0.4 host 43.0.0.4 

set security acl ip ip1 permit ip any any 

#ip2

set security acl ip ip2 permit arp 

set security acl ip ip2 redirect  b_1  ip host 43.0.0.1 host 44.0.0.1 

set security acl ip ip2 redirect  b_2  ip host 43.0.0.2 host 44.0.0.2 

set security acl ip ip2 redirect  b_3  ip host 43.0.0.3 host 44.0.0.3 

set security acl ip ip2 redirect  b_4  ip host 43.0.0.4 host 44.0.0.4 

set security acl ip ip2 permit ip any any 

#pbf set

set pbf mac 00-11-22-33-44-55

#

commit security acl all

set security acl map ip1 1

set security acl map ip2 2

This example shows how to display the MAC addresses that were learned by the switch for port 6/17 on VLAN 1: 

Console> (enable) show cam dynamic 6/17

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry $ = Dot1x Security Entry


VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type] 

----  ------------------    -----  -------------------------------------------

1     00-20-20-20-20-23             6/17 [ALL]

1     00-20-20-20-20-22             6/17 [ALL]

1     00-20-20-20-20-21             6/17 [ALL]

1     00-20-20-20-20-20             6/17 [ALL]

1     00-20-20-20-20-27             6/17 [ALL]

1     00-20-20-20-20-26             6/17 [ALL]

1     00-20-20-20-20-25             6/17 [ALL]

1     00-20-20-20-20-24             6/17 [ALL]

1     00-20-20-20-20-2b             6/17 [ALL]

1     00-20-20-20-20-2a             6/17 [ALL]

1     00-20-20-20-20-29             6/17 [ALL]

1     00-20-20-20-20-28             6/17 [ALL]

1     00-20-20-20-20-2f             6/17 [ALL]

1     00-20-20-20-20-2e             6/17 [ALL]

1     00-20-20-20-20-2d             6/17 [ALL]

1     00-20-20-20-20-2c             6/17 [ALL]

Total Matching CAM Entries Displayed for 6/17 = 16 for port 6/9, vlan 2

This example shows how to display the MAC addresses that were learned by the switch for port 6/9 on VLAN 2: 

Console> (enable) show cam dynamic 6/9 

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry $ = Dot1x Security Entry


VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type] 

----  ------------------    -----  -------------------------------------------

2     00-0a-0a-0a-0a-0e             6/9 [ALL]

2     00-0a-0a-0a-0a-0f             6/9 [ALL]

2     00-0a-0a-0a-0a-0c             6/9 [ALL]

2     00-0a-0a-0a-0a-0d             6/9 [ALL]

2     00-0a-0a-0a-0a-0a             6/9 [ALL]

2     00-0a-0a-0a-0a-0b             6/9 [ALL]

2     00-0a-0a-0a-0a-19             6/9 [ALL]

2     00-0a-0a-0a-0a-18             6/9 [ALL]

2     00-0a-0a-0a-0a-17             6/9 [ALL]

2     00-0a-0a-0a-0a-16             6/9 [ALL]

2     00-0a-0a-0a-0a-15             6/9 [ALL]

2     00-0a-0a-0a-0a-14             6/9 [ALL]

2     00-0a-0a-0a-0a-13             6/9 [ALL]

2     00-0a-0a-0a-0a-12             6/9 [ALL]

2     00-0a-0a-0a-0a-11             6/9 [ALL]

2     00-0a-0a-0a-0a-10             6/9 [ALL]

Total Matching CAM Entries Displayed for 6/9 = 16

This example shows how to display the PBF status and the PFC2 MAC address: 

Console> (enable) show pbf 

Pbf status    Mac address

-----------   ------------------

ok            00-11-22-33-44-55

This example shows how to display the PBF statistics: 

Console> (enable) show pbf statistics 

Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name

-------------------------------------------------------------------------

1         2      00-0a-0a-0a-0a-0a  00-11-22-33-44-55  0x00026d7c    a_1

2         2      00-0a-0a-0a-0a-0b  00-11-22-33-44-55  0x00026d83    a_2

3         2      00-0a-0a-0a-0a-0c  00-11-22-33-44-55  0x00026d89    a_3

4         2      00-0a-0a-0a-0a-0d  00-11-22-33-44-55  0x00026d90    a_4

5         1      00-20-20-20-20-20  00-11-22-33-44-55  0x000260e3    b_1

6         1      00-20-20-20-20-21  00-11-22-33-44-55  0x000260ea    b_2

7         1      00-20-20-20-20-22  00-11-22-33-44-55  0x000260f1    b_3

8         1      00-20-20-20-20-23  00-11-22-33-44-55  0x000260f8    b_4

Enhancements to PBF Configuration

This section describes how to configure PBF using the configuration commands that are available in software release 7.5(1) and later releases. The enhancements added to the PBF feature simplify the process of setting and committing the security ACLs and adjacency information.

These sections describe the PBF configuration enhancements:

PBF Configuration Enhancement Overview

Specifying a PBF_MAP_ACL

Displaying the PBF_MAP_ACL Information

Clearing the PBF_MAP_ACL Configuration

PBF Configuration Enhancement Overview

The new set pbf-map command creates the security ACLs and adjacency information based on your input and then automatically commits the ACLs. The set pbf-map command involves two steps, as follows:

Step 1 Adjacency table insert

This step creates an entry in the adjacency table for each redirect-to-adjacency ACE that is added to the ACL.

Step 2 ACL create/modify

This step creates an ACE in each ACL for the redirect-to-adjacency entry, and if necessary, adds a permit ip any any ACE to the end of the ACL (this ACE is added only if the permit ip any any ACE is not already in the ACL).

The set pbf-map command syntax is set pbf-map ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2.

An example of the simplified syntax is set pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 12.

The new set pbf-map command is equivalent to all of the following pre-release 7.5(1) commands: 

set security acl adjacency PBF_MAP_ADJ_0 11 0-0-0-0-0-1

set security acl adjacency PBF_MAP_ADJ_1 12 0-0-0-0-0-2

commit security acl adjacency 

set security acl ip PBF_MAP_ACL_11 redirect PBF_MAP_ADJ_1 ip host 1.1.1.1 host 2.2.2.2

set security acl ip PBF_MAP_ACL_12 redirect PBF_MAP_ADJ_0 ip host 2.2.2.2 host 1.1.1.1

If the permit ip any any ACE is missing, the following two permit ip any any entries are added: 

set security acl ip PBF_MAP_ACL_11 permit ip any any

set security acl ip PBF_MAP_ACL_12 permit ip any any

commit security acl ip PBF_MAP_ACL_11

commit security acl ip PBF_MAP_ACL_12

set security acl map PBF_MAP_ACL_11 11

set security acl map PBF_MAP_ACL_12 12

Each entry in the ACL that is added by the set pbf-map command is inserted before the default permit ip any any ACE.

If you want to add entries other than the redirect ACEs to the adjacency table, use the set security acl ip PBF_MAP_ACL_(VLAN_ID) command. The PBF_MAP_ACL_(VLAN_ID) ACL name is based on the following algorithm: The VLAN number of the corresponding host is added to the PBF_MAP_ACL_ string.

Use the clear pbf-map command to delete the redirect-to-adjacency ACEs and adjacency information that is contained in the PBF_MAP_ACL_(VLAN_ID) ACL. Use the clear security acl command to clear all other ACE types that are part of the PBF_MAP_ACL_(VLAN_ID) ACL.

Specifying a PBF_MAP_ACL

Note The ACL name used by the set pbf-map command is reserved for this command. When you use the set security acl command, you cannot use any name that starts with PBF_MAP_ACL. The name used for the adjacency information is also reserved for the set pbf-map command. When you use the set security acl adjacency command, you cannot use any name that starts with PBF_MAP_ADJ.

To specify a PBF_MAP_ACL, perform this task in privileged mode:

Task
Command

Specify a PBF_MAP_ACL.

set pbf-map ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2


This example shows how to specify a PBF_MAP_ACL: 

Console> (enable) set pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 22

Commit operation successful.

Commit operation successful.


ACL 'PBF_MAP_ACL_11' successfully committed.

Console> (enable)

ACL PBF_MAP_ACL_11 successfully mapped to VLAN 11.

Console> (enable)

ACL 'PBF_MAP_ACL_22' successfully committed.

Console> (enable)

ACL PBF_MAP_ACL_22 successfully mapped to VLAN 22.

Console> (enable) Operation successful.

Console> (enable)

Displaying the PBF_MAP_ACL Information

To display the PBF_MAP_ACL information, perform this task in normal mode:

Task
Command

Display the PBF_MAP_ACL information.

show pbf-map all | vlan | config


This example shows how to display all the PBF maps that have been configured: 

Console> (enable) show pbf-map all

Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name

-------------------------------------------------------------------------

1         11      00-00-00-00-00-01  00-00-00-00-00-00  0x00000000 PBF_MAP_ADJ_0

2         22      00-00-00-00-00-02  00-00-00-00-00-00  0x00000000 PBF_MAP_ADJ_1

Console> (enable)

This example shows how to display the PBF-related ACEs for the specified VLAN and the statistics for each adjacency used: 

Console> (enable) show pbf-map 11

Index    DstVlan   DstMac             SrcMac          HitCount(hex)  Name

-------------------------------------------------------------------------

1         22      00-00-00-00-00-02  00-00-00-00-00-00  0x00000000 PBF_MAP_ADJ_1

Console> (enable)

This example shows the PBF map configuration: 

Console> (enable) show pbf-map config

set pbf_map 1.1.1.1 00-00-00-00-00-01 11 2.2.2.2 00-00-00-00-00-02 22 

Console> (enable)

Clearing the PBF_MAP_ACL Configuration

To clear the PBF_MAP_ACL configuration, perform this task in normal mode:

Task
Command

Clear the PBF_MAP_ACL configuration.

clear pbf-map all | vlan vlan | ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2


This example shows how to clear all the ACLs and adjacency information that were created by the set pbf-map command: 

Console> (enable) clear pbf-map all


ACL 'PBF_MAP_ACL_11' successfully deleted.

Console> (enable)

ACL 'PBF_MAP_ACL_22' successfully deleted.

Console> (enable)

This example shows how to clear the ACL with the name PBF_MAP_ACL_VLAN_# and the adjacency table that was used by that ACL: 

Console> (enable) clear pbf-map vlan 11


ACL 'PBF_MAP_ACL_11' successfully deleted.

Console> (enable) Commit operation successful.

Console> (enable)

This example shows how to clear all the ACEs that were created by the set pbf-map command except the permit ip any any ACE. The command removes the entries that enable traffic between the hosts with ip_addr_1 and ip_addr_2 on vlan_1 and vlan_2. If the entries were already deleted using the clear security acl command, a message is displayed indicating that the specific entry was already cleared. The actual entries that were deleted are two ACEs (redirect-to-adjacency ACEs) and two entries in the adjacency table. 

Console> (enable) clear pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 22


ACL 'PBF_MAP_ACL_11' successfully committed.

Console> (enable)

ACL 'PBF_MAP_ACL_22' successfully committed.

Console> (enable)