Adding An Ethertype Access Control List - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
Adding an EtherType Access Control List
The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
FWSM/contexta(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq
www
FWSM/contexta(config)# access-group ACL_OUT in interface outside
You also need to configure NAT for the web server. See the
"Using Static NAT" section on page 9-26
for more information.
The following ACLs allow all hosts to communicate between the inside and hr networks, but only
specific hosts to access the outside network:
FWSM/contexta(config)# access-list ANY extended permit ip any any
FWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.3 any
FWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.4 any
FWSM/contexta(config)# access-group ANY in interface inside
FWSM/contexta(config)# access-group ANY in interface hr
FWSM/contexta(config)# access-group OUT out interface outside
Adding an EtherType Access Control List
Transparent firewall mode only
An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number. You can identify
some types by a keyword for convenience.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic
to pass in both directions.
For example, you can permit or deny bridge protocol data units (BPDUs). By default, all BPDUs are
denied. The FWSM receives trunk port (Cisco proprietary) BPDUs because FWSM ports are trunk ports.
Trunk BPDUs have VLAN information inside the payload, so the FWSM modifies the payload with the
outgoing VLAN if you allow BPDUs. If you use failover, you must allow BPDUs on both interfaces with
an EtherType ACL to avoid bridging loops.
If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP)
TCP connections are established through the FWSM by configuring both MPLS routers connected to the
FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and
TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the FWSM:
router(config)# mpls ldp router-id interface force
Or
router(config)# tag-switching tdp router-id interface force
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface.
You can also apply the same ACLs on multiple interfaces.
To add an EtherType ACL and apply it to an interface, follow these steps:
Add one or more ACEs using the same ACL name by entering the following command:
Step 1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-16
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
