Table of Contents
Advertisement
Chapter 31
Configuring Network Security with ACLs
Command
Step 3
{deny | permit} {any | host source MAC
address | source MAC address mask} {any |
host destination MAC address | destination
MAC address mask} [type mask | lsap lsap mask
| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo |vines-ip |
xns-idp | 0-65535] [cos cos]
Step 4
end
Step 5
show access-lists [number | name]
Step 6
copy running-config startup-config
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
Applying a MAC ACL to a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in
that interface. When you apply the MAC ACL, consider these guidelines:
•
•
OL-8915-03
10 deny
any any decnet-iv
20 permit any any
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over a VLAN map applied to the VLAN. Incoming packets received on the Layer
2 port are always filtered by the port ACL.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
Purpose
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
(Optional) You can also enter these options:
type mask—An arbitrary EtherType number of a packet with
•
Ethernet II or SNAP encapsulation in decimal, hexadecimal,
or octal with optional mask of don't care bits applied to the
EtherType before testing for a match.
lsap lsap mask—An LSAP number of a packet with
•
IEEE 802.2 encapsulation in decimal, hexadecimal, or octal
with optional mask of don't care bits.
aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
•
etype-6000 | etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios | vines-echo |vines-ip
| xns-idp—A non-IP protocol.
•
cos cos—An IEEE 802.1Q cost of service number from 0 to 7
used to set priority.
Return to privileged EXEC mode.
Show the access list configuration.
(Optional) Save your entries in the configuration file.
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Creating Named MAC Extended ACLs
31-27
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
