Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

481

482

483

484

485

486

487

488

489

490

26-21

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 26 Configuring Network Security with ACLs

Creating Named MAC Extended ACLs

This example shows how to create and display an access list named mac1, denying only EtherType

DECnet Phase IV traffic, but permitting all other types of traffic.

Switch(config)# mac access-list extended mac1

Switch(config-ext-macl)# deny any any decnet-iv

Switch(config-ext-macl)# permit any any

Switch(config-ext-macl)# end

Switch # show access-lists

Extended MAC access list mac1

deny any any decnet-iv

permit any any

Applying a MAC ACL to a Layer 2 Interface

After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in

that interface. When you apply the MAC ACL, consider these guidelines:

• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL

takes precedence over a VLAN map applied to the VLAN. Incoming packets received on the Layer

2 port are always filtered by the port ACL.

• You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.

The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

• A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer

2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.

Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to

a Layer 2 interface:

To remove the specified access group, use the no mac access-group {name} interface configuration

command.

This example shows how to apply MAC access list mac1 on Gigabit Ethernet interface 0/3 to filter

packets entering the interface:

Switch(config)# interface gigabitethernet0/3

Router(config-if)# mac access-group mac1 in

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

interface interface-id Identify a specific interface, and enter interface configuration

mode. The interface must be a physical Layer 2 interface (port

ACL).

Step 3

mac access-group {name} {in} Control access to the specified interface by using the MAC access

list.

Note Port ACLs are supported only in the inbound direction.

Step 4

end Return to privileged EXEC mode.

Step 5

show mac access-group [interface interface-id]

Display the MAC access list applied to the interface or all Layer 2

interfaces.

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.