Applying A Mac Acl To A Layer 2 Interface - Cisco Catalyst 3750 Software Configuration Manual

Creating Named MAC Extended ACLs
Command
Step 5 show access-lists [number | name]
Step 6
copy running-config startup-config
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1

Applying a MAC ACL to a Layer 2 Interface

After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IPv4 traffic coming
in that interface. When you apply the MAC ACL, consider these guidelines:
•
•
•
Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to
a Layer 2 interface:
Command
Step 1
configure terminal
Step 2 interface interface-id
Step 3 mac access-group {name} {in}
Step 4
end
Step 5
show mac access-group [interface interface-id]
Step 6
copy running-config startup-config
Catalyst 3750 Metro Switch Software Configuration Guide
25-26
deny any any decnet-iv
permit any any
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IPv4 packets, and the MAC access list filters non-IPv4 packets.
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer
2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Chapter 25
Purpose
Show the access list configuration.
(Optional) Save your entries in the configuration file.
Purpose
Enter global configuration mode.
Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Control access to the specified interface by using the MAC access
list.
Port ACLs are supported only in the inbound direction.
Note
Return to privileged EXEC mode.
Display the MAC access list applied to the interface or all Layer 2
interfaces.
(Optional) Save your entries in the configuration file.
Configuring Network Security with ACLs
78-15870-01