15-103
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring Policy-Based Forwarding
• Displaying the PBF_MAP_ACL Information, page 15-104
• Clearing the PBF_MAP_ACL Configuration, page 15-105
PBF Configuration Enhancement Overview
Note The set command has changed in software release 8.3(1). For more information, see the “Enhancements
to the PBF Configuration (Software Releases 8.3(1) and Later)” section on page 15-105.
The new set pbf-map command creates the security ACLs and adjacency information that is based on
your input and then automatically commits the ACLs. The set pbf-map command involves two steps, as
follows:
Step 1 Insert an entry in the adjacency table for each redirect-to-adjacency ACE that is added to the ACL.
Step 2 Create or modify an ACL. This step creates an ACE in each ACL for the redirect-to-adjacency entry, and
if necessary, adds a permit ip any any ACE to the end of the ACL (this ACE is added only if the permit
ip any any ACE is not already in the ACL).
The set pbf-map command syntax is set pbf-map ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2.
An example of the simplified syntax is set pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 12.
The new set pbf-map command is equivalent to all of the following pre-release 7.5(1) commands:
set security acl adjacency PBF_MAP_ADJ_0 11 0-0-0-0-0-1
set security acl adjacency PBF_MAP_ADJ_1 12 0-0-0-0-0-2
commit security acl adjacency
set security acl ip PBF_MAP_ACL_11 redirect PBF_MAP_ADJ_1 ip host 1.1.1.1 host 2.2.2.2
set security acl ip PBF_MAP_ACL_12 redirect PBF_MAP_ADJ_0 ip host 2.2.2.2 host 1.1.1.1
If the permit ip any any ACE is missing, these two permit ip any any entries are added:
set security acl ip PBF_MAP_ACL_11 permit ip any any
set security acl ip PBF_MAP_ACL_12 permit ip any any
commit security acl ip PBF_MAP_ACL_11
commit security acl ip PBF_MAP_ACL_12
set security acl map PBF_MAP_ACL_11 11
set security acl map PBF_MAP_ACL_12 12
Each entry in the ACL that is added by the set pbf-map command is inserted before the default permit
ip any any ACE.
If you want to add the entries other than the redirect ACEs to the adjacency table, enter the set security
acl ip PBF_MAP_ACL_(VLAN_ID) command. The PBF_MAP_ACL_(VLAN_ID) ACL name is
based on the following algorithm: The VLAN number of the corresponding host is added to the
PBF_MAP_ACL_ string.
Enter the clear pbf-map command to delete the redirect-to-adjacency ACEs and adjacency information
that is contained in the PBF_MAP_ACL_(VLAN_ID) ACL. Enter the clear security acl command to
clear all other ACE types that are part of the PBF_MAP_ACL_(VLAN_ID) ACL.
To Next Page
Loading...
Need help?
General