28-18
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 28 Configuring Network Security with ACLs
Configuring ACLs
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-list
Extended MAC access list mac1
deny any any decnet-iv
permit any any
Creating MAC Access Groups
Beginning in privileged EXEC mode, follow these steps to create MAC access groups and to apply a
MAC access list to an interface:
This example shows how to apply ACL 2 on an interface to filter packets entering the interface:
Switch(config)# interface gigabitethernet0/1
Router(config-if)# mac access-group 2 in
Note The mac access-group interface configuration command is only valid when applied to a Layer 2
interface.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet. The MAC ACL applies to both IP and non-IP packets.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs as a means of
network security.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Identify a specific interface for configuration, and enter interface
configuration mode.
The interface must be a Layer 2 interface.
Step 3 mac access-group {name} {in} Control access to the specified interface by using the MAC access list name.
Step 4 end Return to privileged EXEC mode.
Step 5 show mac-access group Display the MAC ACLs applied on the switch.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.