15-103
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 15 Configuring Access Control
Configuring Policy-Based Forwarding
•
Displaying the PBF_MAP_ACL Information, page 15-104
•
Clearing the PBF_MAP_ACL Configuration, page 15-105
PBF Configuration Enhancement Overview
Note
The
set
command has changed in software release 8.3(1). For more information, see the
“Enhancements
to the PBF Configuration (Software Releases 8.3(1) and Later)” section on page 15-105
.
The new
set pbf-map
command creates the security ACLs and adjacency information that is based on
your input and then automatically commits the ACLs. The
set pbf-map
command involves two steps, as
follows:
Step 1
Insert an entry in the adjacency table for each redirect-to-adjacency ACE that is added to the ACL.
Step 2
Create or modify an ACL. This step creates an ACE in each ACL for the redirect-to-adjacency entry, and
if necessary, adds a
permit ip any any
ACE to the end of the ACL (this ACE is added only if the
permit
ip any any
ACE is not already in the ACL).
The
set pbf-map
command syntax is
set pbf-map
ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2.
An example of the simplified syntax is
set pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 12
.
The new
set pbf-map
command is equivalent to
all
of the following pre-release 7.5(1) commands:
set security acl adjacency PBF_MAP_ADJ_0 11 0-0-0-0-0-1
set security acl adjacency PBF_MAP_ADJ_1 12 0-0-0-0-0-2
commit security acl adjacency
set security acl ip PBF_MAP_ACL_11 redirect PBF_MAP_ADJ_1 ip host 1.1.1.1 host 2.2.2.2
set security acl ip PBF_MAP_ACL_12 redirect PBF_MAP_ADJ_0 ip host 2.2.2.2 host 1.1.1.1
If the
permit ip any any
ACE is missing, these two
permit ip any any
entries are added
:
set security acl ip PBF_MAP_ACL_11 permit ip any any
set security acl ip PBF_MAP_ACL_12 permit ip any any
commit security acl ip PBF_MAP_ACL_11
commit security acl ip PBF_MAP_ACL_12
set security acl map PBF_MAP_ACL_11 11
set security acl map PBF_MAP_ACL_12 12
Each entry in the ACL that is added by the
set pbf-map
command is inserted before the default
permit
ip any any
ACE.
If you want to add the entries other than the redirect ACEs to the adjacency table, enter the
set security
acl ip PBF_MAP_ACL_(VLAN_ID)
command. The PBF_MAP_ACL_(VLAN_ID) ACL name is
based on the following algorithm: The VLAN number of the corresponding host is added to the
PBF_MAP_ACL_ string.
Enter the
clear pbf-map
command to delete the redirect-to-adjacency ACEs and adjacency information
that is contained in the PBF_MAP_ACL_(VLAN_ID) ACL. Enter the
clear security acl
command to
clear all other ACE types that are part of the PBF_MAP_ACL_(VLAN_ID) ACL.
