Examples For Ethertype Acls; Edit Acls In An Isolated Configuration Session - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Edit ACLs in an Isolated Configuration Session
The options are:
•
•
•
Examples for EtherType ACLs
The following examples shows how to configure EtherType ACLs, including how to apply them to an
interface.
The following sample ACL allows common traffic originating on the inside interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following ACL allows some EtherTypes through the ASA, but it denies IPX:
hostname(config)# access-list ETHER ethertype deny ipx
hostname(config)# access-list ETHER ethertype permit 1234
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
The following ACL denies traffic with EtherType 0x1256, but it allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
Edit ACLs in an Isolated Configuration Session
When you edit an ACL used for access rules or any other purpose, the change is immediately
implemented and impacts traffic. With access rules, you can enable the transactional commit model to
ensure that new rules become active only after rule compilation is complete, but the compilation happens
after each ACE you edit.
Cisco ASA Series Firewall CLI Configuration Guide
3-18
access_list_name—The name of the new or existing ACL. If the ACL already exists, you are adding
the ACE to the end of the ACL.
Permit or Deny—The deny keyword denies a packet if the conditions are matched. The permit
keyword permits a packet if the conditions are matched.
Traffic Matching Criteria—You can match traffic using the following options:
ipx—Internet Packet Exchange (IPX).
–
bpdu—bridge protocol data units, which are allowed by default.
–
mpls-multicast— MPLS multicast.
–
mpls-unicast—MPLS unicast.
–
isis—Intermediate System to Intermediate System (IS-IS).
–
–
any—Matches all traffic.
–
hex_number—Any EtherType that can be identified by a 16-bit hexadecimal number 0x600 to
0xffff. See RFC 1700, "Assigned Numbers," at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
Chapter 3
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
