10-8 WS5100 Series Switch Migration Guide
1. To configure numbered IP Extended ACL.
WS5100(config)#access-list 2 deny ip host 1.2.3.4 any rule-precedence 10
WS5100(config)#access-list 2 permit tcp any host 2.3.4.5 eq 80 rule-precedence
20
WS5100(config)#access-list 2 deny icmp any host 2.3.4.5 rule-precedence 30
2. To configure named IP Extended ACL.
WS5100(config)#ip access-list extended ipextacl
WS5100(config-ext-nacl)#deny ip host 1.2.3.4 any rule-precedence 10
WS5100(config-ext-nacl)#permit tcp any host 2.3.4.5 eq 80 rule-precedence 20
WS5100(config-ext-nacl)#deny icmp any host 2.3.4.5 rule-precedence 30
10.4.1.3 Configuring MAC Extended ACL using CLI
MAC Extended ACLs contain rules based on the following parameters:
• Source MAC address
• Destination MAC address
• Ethertype– accepts well known types like IP, ARP, VLAN or an integer value between 1-65535.
• VLAN-ID
• VLAN 802.1p user priority
Source and Destination MAC address are mandatory parameters.
Execute the following CLI commands to configure a MAC extended ACL with different rule parameters on
WS5100 switch:
WS5100(config)#mac access-list extended macextacl
WS5100(config-ext-macl)#permit 00:a0:f8:00:00:00 ff:ff:ff:00:00:00 any rule-
precedence 10
WS5100(config-ext-macl)#deny any any type arp rule-precedence 20
WS5100(config-ext-macl)#deny any any vlan 23 rule-precedence 30
10.4.2 Applying ACLs to Interfaces
ACLs can be applied to either an Ethernet or VLAN interface to filter packets coming IN from the interface.
When ACLs (IP or MAC) are applied to
when IP ACLs are applied to
10.4.2.1 Configuring Port ACLs
Port ACLs filter packets which get switched in the same VLAN. Hence they should be applied on appropriate
Ethernet interfaces, when the administrator wants to control traffic between hosts in the same VLAN. Port
ACLs are not flow aware. The Port ACL rules are applied on every individual packet coming in through a
particular interface. When allowing a certain MU or wired host, you should also add rules to allow return
traffic from the MU or wired host.
Ethernet interfaces
VLAN interfaces
like— vlan1, vlan2 etc., they are called Router ACLs.
i.e. eth1 and eth2, they are called Port ACLs and