16-34
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 16 Configuring Access Control
Configuring VACLs
Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs
Caution
IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types
(AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access
control this traffic.
To create a new non-IP version 4/non-IPX VACL and add ACEs, or to add ACEs to an existing non-IP
version 4/non-IPX VACL, perform this task in privileged mode:
This example shows how to create an ACE for MACACL1 to block all traffic from 8-2-3-4-7-A:
Console> (enable)
set security acl mac MACACL1 deny host 8-2-3-4-7-A any
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to create an ACE for MACACL1 to block all traffic to A-B-C-D-1-2:
Console> (enable)
set security acl mac MACACL1 deny any host A-B-C-D-1-2
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to create an ACE for MACACL1 to allow traffic from all sources:
Console> (enable)
set security acl mac MACACL1 permit any any
MACACL1 editbuffer modified. Use ‘commit’ command to apply changes.
Console> (enable)
This example shows how to display the contents of the edit buffer:
Console> (enable)
show security acl info MACACL1 editbuffer
set security acl mac MACACL1
-----------------------------------------------------------------
1. deny 8-2-3-4-7-A any
2. deny any A-B-C-D-1-2
3. permit any any
Console> (enable)
Note
For more information about the
show security acl info
command, see the
“Showing the Contents of
a VACL” section on page 16-36
.
This example shows how to commit the ACEs to NVRAM:
Console> (enable)
commit security acl all
ACL commit in progress.
ACL MACACL1 is committed to hardware.
Console> (enable)
Task
Command
Create a new non-IP
version 4/non-IPX VACL and add
ACEs, or add ACEs to an existing
non-IP version 4/non-IPX VACL.
set security acl mac
{
acl_name
} {
permit
|
deny
}
{
src_mac_addr_spec
} {
dest_mac_addr_spec
} [
ether-type
]
[
capture
] [
before
editbuffer_index
|
modify
editbuffer_index
]