Understanding How Pbf Works; Pbf Hardware And Software Requirements - Cisco WS-C6506 Software Manual

Chapter 15 Configuring Access Control

Understanding How PBF Works

The PBF configuration involves these tasks:
•
•
•
You enable PBF by specifying a MAC address for the PFC2 or PFC3A/PFC3B/PFC3BXL. The MAC
address can be a default or user-specified MAC address. When the packets are sent, the destination MAC
address has to be identical to the PFC2 or PFC3A/PFC3B/PFC3BXL MAC address. The PFC2 or
PFC3A/PFC3B/PFC3BXL must think that the packet is a Layer 3 packet or no rewrite operation occurs.
If the packets are not sent with the PFC2 or PFC3A/PFC3B/PFC3BXL MAC address, the PFC2 or
PFC3A/PFC3B/PFC3BXL treats the packets as the Layer 2 packets.
The PBF VACL is created by using the set security acl commands. The PBF VACL contains an
adjacency table entry for the PFC2 or PFC3A/PFC3B/PFC3BXL and a redirect ACE. You must set the
VACLs on both VLANs that participate in PBF. When the packet from the source VLAN comes into the
PFC2 or PFC3A/PFC3B/PFC3BXL, it hits the PBF VACL. Based on the information that is provided in
the adjacency table, the packet header (the destination VLAN and source and destination MAC
addresses) is rewritten and the packet is forwarded to the destination VLAN. The packets are forwarded
between VLANs only if they hit the VACL entries that are associated with the adjacency information.
Because the VACLs are applied to the incoming and outgoing traffic, you must configure all VACLs
Note
carefully when using PBF. If the VACLs are not specific, a rewritten packet could hit a deny statement in
the outgoing VACL and get dropped.
When a router is not present in the network, you need to specify the static ARP entries on the
participating hosts.

PBF Hardware and Software Requirements

The PBF hardware and software requirements are as follows:
•
•
•
•
•
OL-8978-04
Enabling PBF and specifying a MAC address for the PFC2 or PFC3A/PFC3B/PFC3BXL
Configuring the VACLs for PBF
Configuring the attached hosts for PBF
PBF requires Supervisor Engine 2 with PFC2, Supervisor Engine 720 with
PFC3A/PFC3B/PFC3BXL, or Supervisor Engine 32 with PFC3B/PFC3BXL.
PBF is not supported with an operating (booted) MSFC2, MSFC2A, or MSFC3 in the Catalyst 6500
series switch that is being used for PBF.
If you try to configure PBF with an MSFC2, MSFC2A, or MSFC3 present and booted, the system
responds with a message indicating that the feature is not supported with an MSFC2, MSFC2A, or
MSFC3.
If an MSFC2, MSFC2A, or MSFC3 is present but has not booted, you can configure PBF.
For Supervisor Engine 2, PBF requires supervisor engine software release 6.3(1) or later releases.
For Supervisor Engine 720, PBF requires supervisor engine software release 8.1(1) or later releases.
For Supervisor Engine 32, PBF requires supervisor engine software release 8.4(1) or later releases.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Policy-Based Forwarding
15-91