Creating Named Mac Extended Acls - Cisco Catalyst 2950 Software Configuration Manual

Chapter 28 Configuring Network Security with ACLs
Switch(config)# access-list 1 permit 171.69.2.88
Switch(config)# access-list 1 remark Do not allow Smith workstation through
Switch(config)# access-list 1 deny 171.69.3.13
For an entry in a named IP ACL, use the remark access-list global configuration command. To remove
the remark, use the no form of this command.
In this example, the Jones subnet is not allowed to use outbound Telnet:
Switch(config)# ip access-list extended telnetting
Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC
extended ACLs. The procedure is similar to that of configuring other extended named access lists.
Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
Note
For more information about the supported non-IP protocols in the mac access-list extended command,
see the command reference for this release.
Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identifier (OUI) is
Note
not supported.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:
Command
Step 1
configure terminal
Step 2 mac access-list extended name
Step 3 {deny | permit} {any | host source MAC
address} {any | host destination MAC address}
[aarp | amber | appletalk | dec-spanning |
decnet-iv | diagnostic | dsm | etype-6000 |
etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp]
Step 4 end
Step 5 show access-lists [number | name]
Step 6
copy running-config startup-config
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
78-11380-12
Purpose
Enter global configuration mode.
Define an extended MAC access list by using a name.
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address or a specific host source
MAC address and any destination MAC address.
(Optional) You can also enter these options:
aarp | amber | appletalk | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca |
mop-console | mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp—(a non-IP protocol).
Return to privileged EXEC mode.
Show the access list configuration.
(Optional) Save your entries in the configuration file.
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
Configuring ACLs
28-17