Cisco Systems OL-6244-01

2-626

Catalyst 6500 Series Switch Command Reference—Release8.4

OL-6244-01

Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands

set security acl ip

Defaults There are no default ACLs and no default ACL-VLAN mappings. By default, ARP is enabled. By

default, DHCP snooping is disabled on all VLANs.

Command Types Switch command.

Command Modes Privileged.

Usage Guidelines Conf igurations you make by entering this command are saved to NVRAM and the switch hardware only

after you enter the commit command. Enter ACEs in batches, and then enter the commit command to

save them in NVRAM and in the hardware.

The arp keyword is supported on switches configured with the Supervisor Engine 2 wit h Laye r 3

Switching Engine II (PFC2). The arp keyword is supported on a per-ACL basis only; either ARP is

allowed or ARP is denied.

If you use the fragment keyword in an ACE, this ACE applies to nonfragmented traffic and to the

fragment with offset equal to zero in a fragmented flow.

A fragmented ACE that permits Layer 4 traffic from host A to host B also permits fragmented traffic from

host A to host B regardless of the Layer 4 port.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by

entering the set security acl capture- po rts co mmand .

802.1X and DHCP Snooping cannot coexist on a VLAN. If both features a re configured on a VLAN, the

feature that resides higher up in the ACL will override the other.

The position of the DHCP-Snooping Access Control Entry (ACE) in the VACL is important, as it can be

used to restrict specific types of DHCP packets. The position of the DHCP Snooping A CE is deter mined

by the policy for DHCP Snooping packets. For example, if you want to deny DHCP Snooping packets

from a certain host and perform DHCP Snooping on other packets, then the deny ACE should come

before the DHCP Snooping ACE.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the d ash character (-), the unde rscore

character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form

source_ip_addresssource_mask and follow these guidelines:

•The source_mask is required; 0 indicates a care bit, 1 indicates a don’t-care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

any Matches any IP address or MAC address.

ip_mask Specifies the IP mask.