SGACL enforcement is not enabled by default on VLANs. Use the cts role-based enforcement vlan-list
command to enable or disable SGACL enforcement for Layer 2 switched packets and for Layer 3 switched
packets on an switched virtual interface (SVI).
The vlan-ID argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges.
When a VLAN in which a SGACL is enforced has an active SVI, the SGACL is enforced for both Layer 2
and Layer 3 switched packets within that VLAN. Without an SVI, the SGACL is enforced only for Layer 2
switched packets, because no Layer 3 switching is possible within a VLAN without an SVI.
Examples
The following example shows configure an SGACL logging interval:
Switch(config)# cts role-based enforcement logging-interval 90
Switch(config)# logging rate-limit
May 27 10:19:21.509: %RBM-6-SGACLHIT:
ingress_interface='GigabitEthernet1/0/2' sgacl_name='sgacl2' action='Deny'
protocol='icmp' src-ip='16.16.1.3' src-port='8' dest-ip='17.17.1.2' dest-port='0'
sgt='101' dgt='202' logging_interval_hits='5'
Related Commands
DescriptionCommand
Limits the rate of messages logged per second.logging rate-limit
Displays the SGACL permission list.show cts role-based permissions
Command Reference, Cisco IOS XE Everest 16.5.1a (Catalyst 3650 Switches)
732
cts role-based enforcement
To Next Page
Loading...
