Chapter 15
Configuring Access Control
To deny access to a server on another VLAN, perform this task in privileged mode:
Task
Step 1
Deny traffic from hosts in subnet
10.1.2.0/8.
Step 2
Deny traffic from host 10.1.1.4.
Step 3
Deny traffic from host 10.1.1.8.
Step 4
Permit the other IP traffic.
Step 5
Commit the VACL.
Step 6
Map the VACL to VLAN 10.
Figure 15-7
100% available for CoS 6 and 7
Restricting ARP Traffic
This feature is available only with Supervisor Engine 2 with PFC2, Supervisor Engine 720 with
Note
PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
OL-8978-04
Denying Access to a Server on Another VLAN
Reserved for
CoS 6 and 7
Reserved for
CoS 4 and higher
Reserved for
CoS 2 and higher
Available for
traffic with any
CoS value
80% available for CoS 4 and 5
60% available for CoS 2 and 3
50% available for CoS 0 and 1
Command
set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host
10.1.1.100
set security acl ip SERVER deny ip host 10.1.1.4 host
10.1.1.100
set security acl ip SERVER deny ip host 10.1.1.8 host
10.1.1.100
set security acl ip SERVER permit ip any any
commit security acl SERVER
set security acl map SERVER 10
Drop threshold 4: 100%
Drop threshold 3: 80%
Drop threshold 2: 60%
Drop threshold 1: 50%
Receive queue
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using VACLs in Your Network
Traffic is dropped
(Default values shown)
15-29