Table of Contents
Advertisement
Chapter 15
Configuring Access Control
Configuration Guidelines
Use the following guidelines when configuring MAC-based ACL lookups:
•
•
Configuring MAC-Based ACL Lookups for All Packet Types
The commands described in this section affect both VACLs and QoS MAC ACLs. The set acl
mac-packet-classify vlans command enables the MAC lookup for all packet types incoming on the
source VLAN. The clear acl mac-packet-classify [vlans] command reverts the configuration back to
the default for the specified VLAN. The default behavior is to match only MAC packets with MAC
ACLs. If you do not specify a VLAN with the clear acl mac-packet-classify [vlans] command, the
feature is disabled for all VLANs. The show acl mac-packet-classify command displays the list of
VLANs that have the MAC packet classify feature enabled.
Include CoS, VLAN and Packet Type in MAC ACLs and Extend EtherType
The VACL and QoS ACL CLI has been enhanced to include optional parameters for matching on the
CoS and VLAN. The commands are as follows:
Usage: set security acl mac {acl_name} {permit | deny}
Usage: set qos acl mac {acl_name} {dscp dscp | trust-cos}
The CoS and VLAN fields are optional and if left unspecified, they will match any CoS or VLAN value.
OL-8978-04
This feature should be enabled on Layer 2 VLANs only. (This recommendation is for Metro
customers.)
If you enable the feature on a Layer 3 VLAN, be aware of the following:
You will lose some Layer 3 features, indicated in the warning message below:
–
Warning:IP RACLs, VACLs & some IP features will be ineffective on these vlans.
You might see inconsistencies in the egress ACL lookup depending on whether the packet is
–
hardware or software forwarded. We recommend that you enable this feature on all VLANs to
eliminate any inconsistencies. (This recommendation is for Enterprise customers.)
<src_mac_addr_spec> <dest_mac_addr_spec>
[<ethertype>] [capture]
[cos <cos_value>]
[vlan <vlan>]
[before <editbuffer_index>|modify <editbuffer_index>]
(mac_addr_spec = <addr> <mask> or host <addr> or any
example: 11-22-33-44-00-00 00-00-00-00-ff-ff, host 11-22-33-44-55-66)
ethertype = names or 0x0, 0x05ff - 0xffff,
cos_value = 0..7, vlan = 1..4094,
[aggregate <aggregate_name>]
<src_mac_addr_spec> <dest_mac_addr_spec> [<ethertype>]
[cos <cos_value>]
[vlan <vlan>]
[before <editbuffer_index>|modify <editbuffer_index>]
(mac_addr_spec = <addr> <mask> or host <addr> or any
example: 11-22-33-44-00-00 00-00-00-00-ff-ff, host 11-22-33-44-55-66)
ethertype = names or 0x0, 0x05ff - 0xffff,
cos_value = 0..7, vlan = 1..4094,
Configuring MAC-Based ACL Lookups for All Packet Types
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-63
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
