2-512
Catalyst 6500 Series Switch Command Reference—Release7.6
78-15328-01
Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands
set security acl ip
Defaults There are no default ACLs and no default ACL-VLAN mappings. By default, ARP is enabled.
Command Types Switch command.
Command Modes Privileged.
Usage Guidelines Configurations you make by entering this command are saved to NVRAM and har dware only after you
enter the commit command. Enter ACEs in batches, and then enter the commit command to save them
in NVRAM and in the hardware.
The arp keyword is supported on switches configured with the Supervisor Engine 2 wit h Laye r 3
Switching Engine II (PFC2). The arp keyword is supported on a per-ACL basis only; either ARP is
allowed or ARP is denied.
If you use the fragment keyword in an ACE, this ACE applies to nonfragmented traffic and to the
fragment with offset equal to zero in a fragmented flow.
A fragmented ACE that permits Layer 4 traffic from host A to host B also permits fragmented traffic from
host A to host B regardless of the Layer 4 port.
If you use the capture keyword, the ports that capture the traffic and transmit out are specified by
entering the set security acl capture- po rts co mmand .
When you enter the ACL name, follow these naming conventions:
Maximum of 32 characters long and may include a-z, A-Z, 0-9, the d ash character (-), the unde rscore
character (_), and the period character (.)
Must start with an alpha character and must be unique across all ACLs of all types
Case sensitive
Cannot be a number
Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer
When you specify the source IP address and the source mask, use the form
source_ip_addresssource_mask and follow these guidelines:
The source_mask is required; 0 indicates a care bit, 1 indicates a don’t-care bit.
Use a 32-bit quantity in four-part dotted-decimal format.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0
255.255.255.255.
Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
When you enter a destination IP address and the destination mask, use the form destination_ip_address
destination_mask. The destination mask is required.
Use a 32-bit quantity in a four-part dotted-decimal format.
any Matches any IP address or MAC address.
ip_mask Specifies the IP mask.
dot1x-dhcp Specifies dot1x authentication for the DHCP Relay Agent.