Configuring Named Mac Extended Acls - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Configuring Named MAC Extended ACLs
Configuring Named MAC Extended ACLs
You can filter non-IPv4, non-IPv6 traffic on a VLAN and on a physical Layer 2 port by using MAC
addresses and named MAC extended ACLs. The procedure is similar to that of configuring other
extended named ACLs. You can use a number to name the access list, but MAC access list numbers from
700 to 799 are not supported.
Note
Named MAC extended ACLs cannot be applied to Layer 3 interfaces.
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference.
To create a named MAC extended ACL, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# [no] mac access-list
extended name
Step 3
Switch(config-ext-macl)# {deny | permit}
{any | host source MAC address | source
MAC address mask} {any | host destination
MAC address | destination MAC address
mask} [protocol-family {appletalk |
arp-non-ipv4 | decnet | ipx | ipv6 (not
supported on Sup 6-E and 6L-E)| rarp-ipv4
| rarp-non-ipv4 | vines | xns]
Step 4
Switch(config-ext-macl)# end
Step 5
Switch# show access-lists [number | name]
Step 6
Switch(config)# copy running-config
startup-config
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic:
The following example shows how to enable or disable hardware statistics while configuring ACEs in
the access list:
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-14
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv (old) protocol-family decnet (new)
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
deny
any any decnet-iv (old) protocol-family decnet (new)
permit any any
Switch# config t
Enter configuration commands, one per line.
Switch(config)# mac access-list extended mac1
Switch(config-ext-nacl)# hardware statistics
Switch(config-ext-nacl)# end
Chapter 51
Purpose
Enters global configuration mode.
Defines an extended MAC access list using a name.
To delete the entire ACL, use the no mac access-list extended
name global configuration command. You can also delete
individual ACEs from named MAC extended ACLs.
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
Note
IPv6 packets do not generate Layer 2 ACL lookup keys.
Returns to privileged EXEC mode.
Shows the access list configuration.
(Optional) Saves your entries in the configuration file.
End with CNTL/Z.
Configuring Network Security with ACLs
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
