15-49
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring VACLs
Note Because the VACLs have an implicit deny feature at the end of the list, all other traffic is denied.
This example shows how to create an ACE for IPACL1 to allow the traffic from all source addresses:
Console> (enable) set security acl ip IPACL1 permit any
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPACL1 to block the traffic from source address 171.3.8.2:
Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2
IPACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to display the contents of the edit buffer:
Console> (enable) show security acl info IPACL1 editbuffer
set security acl ip IPACL1
-----------------------------------------------------------------
1. permit ip host 172.20.53.4 any
2. permit ip any any
3. deny ip host 171.3.8.2 any
Console> (enable)
This example shows how to commit the ACEs to NVRAM:
Console> (enable) commit security acl all
ACL commit in progress.
ACL IPACL1 is committed to hardware.
Console> (enable)
Note For more information about the commit security acl all command, see the “Committing ACLs” section
on page 15-53.
Enter the show security acl info IPACL1 command to verify that the changes were committed. If this
VACL has not been mapped to a VLAN, enter the set security acl map command to map it to a VLAN.
This example shows how to create an ACE for IPACL2 to block the traffic from source address
172.20.3.2 and place this ACE before ACE number 2 in the VACL. Optionally, you can enter the modify
keyword to replace an existing ACE with a new ACE. Enter the show security acl info acl_name
[editbuffer] command to see the current ACE listing that is stored in NVRAM (enter the editbuffer
keyword to see edit buffer contents).
Console> (enable) set security acl ip IPACL2 deny host 172.20.3.2 before 2
IPACL2 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to create an ACE for IPACL2 to redirect IP traffic to port 3/1 from source
address 1.2.3.4 with the destination address of 255.255.255.255. The host can be used as an abbreviation
for a source and source-wildcard of 0.0.0.0. This ACE also specifies the following:
• precedence—IP precedence values that range between zero for low priority and seven for high
priority.
• tos—Type of service levels that range between 0 and 15.
Note The ToS values are bits 3 through 6 of the IP ToS byte as defined by RFC 1349. The precedence values are
bits 0 through 2 as defined by RFC 791.