29-18
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter29 Configuring Network Security with ACLs
Configuring ACLs
Creating Named MAC Extended ACLs
You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC
extended ACLs. The procedure is similar to that of configuring other extende d name d acce ss l ists.
Note Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the command reference for this release.
Note Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identi fier (OU I) i s
not supported.
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying o nl y E the rType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-list
Extended MAC access list mac1
deny any any decnet-iv
permit any any
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 mac access-list extended name Define an extended MAC access list by using a name.
Step3 {deny | permit} {any | host source MAC
address} {any | host destination MAC address}
[aarp | amber | appletalk | dec-spanning |
decnet-iv | diagnostic | dsm | etype-6000 |
etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp]
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address or a specific host source
MAC address and any destination MAC address.
(Optional) You can also enter these options:
aarp | amber | appletalk | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca |
mop-console | mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp(a non-IP protocol).
Step4 end Return to privileged EXEC mode.
Step5 show access-lists [number | name] Show the access list configuration.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.