Applying A Mac Acl To A Layer 2 Interface - Cisco 3845 - Security Bundle Router Software Manual

Creating Named MAC Extended ACLs

Applying a MAC ACL to a Layer 2 Interface

After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in
that interface. When you apply the MAC ACL, consider these guidelines:
•
•
•
•
Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to
a Layer 2 interface:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
mac access-group {name} {in}
Step 4
end
Step 5
show mac access-group [interface interface-id]
Step 6 copy running-config startup-config
To remove the specified access group, use the no mac access-group {name} interface configuration
command.
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/2
Router(config-if)# mac access-group mac1 in
Note The mac access-group interface configuration command is only valid when applied to a physical
Layer 2 interface.You cannot use the command on EtherChannel port channels.
After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
Cisco ME 3800X and 3600X Switch Software Configuration Guide
26-28
You cannot apply named MAC extended ACLs to Layer 3 interfaces or to Layer 2 interfaces
configured with service instances.
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Chapter 26
Purpose
Enter global configuration mode.
Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Control access to the specified interface by using the MAC access
list. Port ACLs are supported only in the inbound direction.
Although you can enter this command on a Layer 2 port that has a
service instance, the command is rejected with a warning message
when you apply it.
Return to privileged EXEC mode.
Display the MAC access list applied to the interface or all Layer 2
interfaces.
(Optional) Save your entries in the configuration file.
Configuring Network Security with ACLs
OL-23400-01