Cisco WS-C6506 Software Manual page 499

Chapter 15 Configuring Access Control
•
•
PBF Configuration Enhancement Overview
The set command has changed in software release 8.3(1). For more information, see the
Note
to the PBF Configuration (Software Releases 8.3(1) and Later)" section on page
The new set pbf-map command creates the security ACLs and adjacency information that is based on
your input and then automatically commits the ACLs. The set pbf-map command involves two steps, as
follows:
Insert an entry in the adjacency table for each redirect-to-adjacency ACE that is added to the ACL.
Step 1
Create or modify an ACL. This step creates an ACE in each ACL for the redirect-to-adjacency entry, and
Step 2
if necessary, adds a permit ip any any ACE to the end of the ACL (this ACE is added only if the permit
ip any any ACE is not already in the ACL).
The set pbf-map command syntax is set pbf-map ip_addr_1 mac_1 vlan_1 ip_addr_2 mac_2 vlan_2.
An example of the simplified syntax is set pbf-map 1.1.1.1 0-0-0-0-0-1 11 2.2.2.2 0-0-0-0-0-2 12.
The new set pbf-map command is equivalent to all of the following pre-release 7.5(1) commands:
set security acl adjacency PBF_MAP_ADJ_0 11 0-0-0-0-0-1
set security acl adjacency PBF_MAP_ADJ_1 12 0-0-0-0-0-2
commit security acl adjacency
set security acl ip PBF_MAP_ACL_11 redirect PBF_MAP_ADJ_1 ip host 1.1.1.1 host 2.2.2.2
set security acl ip PBF_MAP_ACL_12 redirect PBF_MAP_ADJ_0 ip host 2.2.2.2 host 1.1.1.1
If the permit ip any any ACE is missing, these two permit ip any any entries are added:
set security acl ip PBF_MAP_ACL_11 permit ip any any
set security acl ip PBF_MAP_ACL_12 permit ip any any
commit security acl ip PBF_MAP_ACL_11
commit security acl ip PBF_MAP_ACL_12
set security acl map PBF_MAP_ACL_11 11
set security acl map PBF_MAP_ACL_12 12
Each entry in the ACL that is added by the set pbf-map command is inserted before the default permit
ip any any ACE.
If you want to add the entries other than the redirect ACEs to the adjacency table, enter the set security
acl ip PBF_MAP_ACL_(VLAN_ID) command. The PBF_MAP_ACL_(VLAN_ID) ACL name is
based on the following algorithm: The VLAN number of the corresponding host is added to the
PBF_MAP_ACL_ string.
Enter the clear pbf-map command to delete the redirect-to-adjacency ACEs and adjacency information
that is contained in the PBF_MAP_ACL_(VLAN_ID) ACL. Enter the clear security acl command to
clear all other ACE types that are part of the PBF_MAP_ACL_(VLAN_ID) ACL.
OL-8978-04
Displaying the PBF_MAP_ACL Information, page 15-104
Clearing the PBF_MAP_ACL Configuration, page 15-105
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Policy-Based Forwarding
"Enhancements
15-105.
15-103