16-29
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Configuring VACLs
•
Follow these guidelines for using the redirect option:
–
Note that redirected packets can only go out a port that supports the VLAN that the traffic is in.
–
Note that the redirect option only involves taking packets and sending them out the redirect
port; there is no routing involved.
–
Note that if packets are coming in from many VLANs, the redirect port should have those
VLANs in forwarding state. You might have to configure the redirect port as a trunk to allow
multiple VLANs to go out of the port.
–
Put caches in promiscuous mode so they can receive traffic that is not routed.
–
Use the redirect option to do some basic VLAN-based load balancing by redirecting traffic to
multiple ports. Each port transmits only those packets that belong to the VLANs that are
forwarding on the port.
VACL Configuration Summary
To create a VACL and map it to a VLAN, perform these steps:
Step 1
Enter the
set security acl ip
command to create a VACL and add ACEs.
Step 2
Enter the
commit
command to commit the VACL and its associated ACEs to NVRAM.
Step 3
Enter the
set security acl map
command to map the VACL to a VLAN.
Note
An IP VACL is used in this description; you can configure IPX and non-IP version 4/non-IPX VACLs
using the same basic steps.
Note
VACLs have an implicit deny feature at the end of the list; a packet is denied if it does not match any
VACL ACE.
Configuring VACLs From the CLI
This section describes how to create and activate VACLs on the Catalyst 6000 family switches. These
tasks are listed in the order that they should be performed.
This section describes the following tasks:
•
Creating an IP VACL and Adding ACEs, page 16-30
•
Creating an IPX VACL and Adding ACEs, page 16-32
•
Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs, page 16-34
•
Committing ACLs, page 16-35
•
Mapping a VACL to a VLAN, page 16-35
•
Showing the Contents of a VACL, page 16-36
•
Showing VACL-to-VLAN Mapping, page 16-36