- Preface
- Product Overview
- Virtual Switching Systems (VSS)
- IP Unicast Layer 3 Switching
-
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Migrating From a 12.2SX QoS Configuration
- Index
Policy-Based Forwarding (PBF)
- Prerequisites for PBF
- Restrictions for PBF
- Information About PBF
- Default Settings for PBF
- How to Configure PBF
- Monitoring PBF
- Configuration Examples for PBF
Note ● For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
- Cisco IOS Release 15.1SY supports only Ethernet interfaces. Cisco IOS Release 15.1SY does not support any WAN features or commands.
- Optimized ACL logging (OAL) and VACL capture are incompatible. Do not configure both features on the switch. With OAL configured (see the “Optimized ACL Logging” section), use SPAN to capture traffic.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for PBF
Restrictions for PBF
- PBF is performed in software, with optional rate limiters to control CPU usage.
- PBF is applied only to ingress traffic.
- To allow traffic in both directions between two VLANs, you must configure PBF in both VLANs.
- You can configure PBF between hosts in different switches.
- By default, PBF hosts in the same VLAN cannot communicate with each other. To allow local communication, use the local keyword.
- When configuring the vlan filter command, specify only one VLAN after the vlan-list keyword. If you specify more than one VLAN, PBF will ignore all but the last VLAN in the list.
- Layer 2 port ACLs (PACLs) take precedence over PBF.
- If the sending VLAN is shut down, PBF will still function. Shutting down a VLAN disables Layer 3 functionality, but PBF is a Layer 2 function.
Information About PBF
PBF is a MAC-address VACL that bridges packets between VLANs. PBF forwards packets based solely on the source and destination MAC addresses, ignoring any information above Layer 2.
Default Settings for PBF
How to Configure PBF
To configure PBF, perform this task on each source VLAN:
Monitoring PBF
- The output of the show vlan mac-pbf config command displays the following fields for configured PBF paths:
– Rcv Vlan — The number of the VLAN to which packets are forwarded by PBF.
– Snd Vlan — The number of the VLAN which will forward packets by PBF.
– DMAC — The MAC address of the destination host on the receiving VLAN.
– SMAC — The MAC address of the source host on the sending VLAN.
– (Local) — Displays 1 if the local keyword is configured in the action forward vlan command on the sending VLAN; displays 0 if the local keyword is not configured.
– (Packet counter) — The number of packets that have been forwarded from the sending VLAN to the receiving VLAN. To clear this counter, enter the clear vlan mac-pbf counters command.
– Pkts dropped — The number of packets that have been dropped by the sending VLAN. To clear this counter, enter the clear vlan mac-pbf counters command.
Configuration Examples for PBF
This example shows how to configure and display PBF to allow two hosts in separate VLANs (“red” VLAN 100 and “blue” VLAN 200) on the same switch to exchange packets:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum