15-62
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring MAC-Based ACL Lookups for All Packet Types
Using MAC-Based ACL Lookups for All Packet Types
PFC3B and PFC3BXL allow the ACL lookups on
all
packet types using the MAC ACL. This feature is
useful for doing MAC-based matching on all packets regardless of whether the packet is IP version 4, IP
version 6, IPX, MPLS, and so on. You can utilize this feature to rate limit all traffic ingressing a VLAN
to some specific value by coupling an aggregate policer with a match-all MAC ACL.
This feature is enabled on a per-ingress VLAN basis and affects the security ACLs (VACLs) and the QoS
ACLs. When this feature is enabled on an incoming VLAN, all packets coming in on that VLAN are
matched against the MAC-based ACLs, even if they are, for example, IP version 4 packets.
The
ethertype
option has been extended in MAC ACLs to include the IP version 4 EtherType that allows
you to set up an ACE to specifically target the IP version 4 packets.
Including the VLAN and CoS in MAC-Based ACLs
With PFC3B and PFC3BXL, you can include the CoS and the VLAN as part of the MAC ACL lookup
key that provides support for port-VLAN lookups. This capability is useful on trunk ports where each
VLAN can be treated independently. This enhancement affects the VACLs and the QoS MAC ACLs.
PFC3B and PFC3BXL overload the VLAN field with the frame type field in the MAC lookup key.
Because CoS and VLAN fields are maskable, both fields are added as optional parameters that allow
support for the old MAC ACL configurations.
VLAN Matching
With PFC3B and PFC3BXL, if the MAC ACL is mapped to the input, the packet’s input VLAN is used
to match against the MAC ACL. Similarly, if the MAC ACL is mapped to the output, the output VLAN
that is associated with the packet is used to match against the MAC ACL.
Note
The MAC ACLs with VLAN matching can be applied only to ports.
VLAN matching can be used in with, or independent of, the MAC-based ACL lookup feature and can
do lookups on a port-VLAN basis (the entire VLAN range is supported).
CoS Matching
In both the ingress and egress cases, the CoS that is used to match against the MAC ACL is the input
CoS that is associated with the packet. The input CoS is the CoS in the DBus header and is constructed
after consulting the port trust (trust-CoS/DSCP/IPprec/untrusted), the default CoS, and the CoS-to-CoS
mapping table for the 802.1Q-enabled ports.
Note
The CoS matching behavior may be different for the egress ACLs (VACLs and QoS ACLs) depending
on how the packet is forwarded. For the normal hardware shortcut packet, the egress ACL matches on
the same CoS as the ingress ACL. However, if the packet is forwarded through an intermediate
forwarding entity, such as a router or multicast read/write engine, the DBus CoS probably will not be the
same as the ingress DBus CoS.
CoS matching can be used with, or independent of, the MAC-based ACL lookup feature.