15-107
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring Policy-Based Forwarding
An example is as follows:
Console> (enable) set pbf client cl1 21.1.1.1 00-00-00-00-40-01 101
Commit operation successful.
Console> (enable) set pbf gw gw1 21.0.0.128 255.0.0.0 00-a0-c9-81-e1-13 102
Commit operation successful.
Console> (enable) set pbf-map cl1 gw1
.ccl1 editbuffer modified. Use 'commit' command to apply changes.
.ggw1 editbuffer modified. Use 'commit' command to apply changes.
.ccl1 editbuffer modified. Use 'commit' command to apply changes.
.ggw1 editbuffer modified. Use 'commit' command to apply changes.
.ccl1 editbuffer modified. Use 'commit' command to apply changes.
.ggw1 editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) ACL commit in progress.
Console> (enable) ACL commit in progress.
ACL '.ccl1' successfully committed.
Console> (enable)
ACL '.ggw1' successfully committed.
Console> (enable) Mapping in progress.
Please configure VLAN 101.
ACL .ccl1 successfully mapped to VLAN 101.
Console> (enable) Mapping in progress.
Please configure VLAN 102.
ACL .ggw1 successfully mapped to VLAN 102.
Console> (enable)
The new and enhanced command set is equivalent to all of the following commands:
#adj set
set security acl adjacency .c0001cl1 101 00-00-00-00-40-01 21.1.1.1
set security acl adjacency .g0002gw1 102 00-a0-c9-81-e1-13 21.0.0.128 7
#.ccl1
set security acl ip .ccl1 permit arp
set security acl ip .ccl1 permit arp-inspection any any
set security acl ip .ccl1 redirect .g0002gw1 ip host 21.1.1.1 any
set security acl ip .ccl1 permit ip any any
#.ggw1
set security acl ip .ggw1 permit arp
set security acl ip .ggw1 permit arp-inspection any any
set security acl ip .ggw1 redirect .c0001cl1 ip any host 21.1.1.1
set security acl ip .ggw1 permit ip any any
#
commit security acl all
set security acl map .ccl1 101
set security acl map .ggw1 102
Each entry in the ACL that is added by the set pbf-map command is inserted before the default permit
ip any any ACE. If you want to add entries other then redirect to the adjacency, enter the set security
acl ip client_name or gateway_name commands. The ARP-inspection entry can be replaced with a
more specific one. The ARP reply is generated only after the ARP-inspection ACEs are verified. If you
want to allow only some clients to get the ARP reply, the new ARP-inspection entries have to be set.
To Next Page
Loading...
Need help?
General