34-29
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 34 Configuring Network Security with ACLs
Creating Named MAC Extended ACLs
Use the
no mac access-list extended
name
global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named
mac1
, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)#
mac access-list extended mac1
Switch(config-ext-macl)#
deny any any decnet-iv
Switch(config-ext-macl)#
permit any any
Switch(config-ext-macl)#
end
Switch #
show access-lists
Extended MAC access list mac1
10 deny any any decnet-iv
20 permit any any
Applying a MAC ACL to a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in
that interface. When you apply the MAC ACL, consider these guidelines:
•
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
•
You can apply no more than one IP access list and one MAC access list to the same Layer 2
interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
Step 3
{
deny
|
permit
} {
any
|
host
source MAC
address | source MAC address mask
} {
any
|
host
destination MAC address | destination
MAC address mask
} [
type
mask
|
lsap
lsap
mask
|
aarp
|
amber
|
dec-spanning
|
decnet-iv
|
diagnostic
|
dsm
|
etype-6000
|
etype-8042
|
lat
|
lavc-sca
|
mop-console
|
mop-dump
|
msdos
|
mumps
|
netbios
|
vines-echo
|
vines-ip
|
xns-idp |
0-65535
] [
cos
cos
]
In extended MAC access-list configuration mode, specify to
permit
or
deny
any
source MAC address, a source MAC address
with a mask, or a specific
host
source MAC address and
any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
(Optional) You can also enter these options:
•
type
mask
—An arbitrary EtherType number of a packet with
Ethernet II or SNAP encapsulation in decimal, hexadecimal,
or octal with optional mask of
don’t care
bits applied to the
EtherType before testing for a match.
•
lsap
lsap mask
—An LSAP number of a packet with
IEEE 802.2 encapsulation in decimal, hexadecimal, or octal
with optional mask of
don’t care
bits.
•
aarp
|
amber
|
dec-spanning
|
decnet-iv
|
diagnostic
|
dsm
|
etype-6000
|
etype-8042
|
lat
|
lavc-sca
|
mop-console
|
mop-dump
|
msdos
|
mumps
|
netbios
|
vines-echo
|
vines-ip
|
xns-idp
—A non-IP protocol.
•
cos
cos
—An IEEE 802.1Q cost of service number from 0 to 7
used to set priority.
Step 4
end
Return to privileged EXEC mode.
Step 5
show access-lists
[
number
|
name
]
Show the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose