16-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter16 Adding an EtherType Access List
Configuring EtherType Access Lists
Step1 Create an access list by adding an ACE and applying an access list name, as shown in the “Addi ng
EtherType Access Lists” section on page 16-3.
Step2 Apply the access list to an interface. (See the “Configuring Access Rules” section on page34-7 for more
information.)
Adding EtherType Access Lists
To configure an access list that controls traffic based upon its EtherType, perform the following steps:
Detailed Steps
Command Purpose
access-list access_list_name ethertype
{deny | permit} {ipx | bpdu | mpls-unicast
| mpls-multicast | is-is | any |
hex_number}
Example:
hostname(config)# hostname(config)#
access-list ETHER ethertype permit ipx
Adds an EtherType ACE.
The access_list_name argument lists the name or number of an access list.
When you specify an access list name, the ACE is added to the end of the
access list. Enter the access_list_name in upper case letters so that the
name is easy to see in the configuration. You might want to name the access
list for the interface (for example, INSIDE) or for the purpose (for
example, MPLS or PIX).
The permit keyword permits access if the conditions are matched.
The deny keyword denies access if the conditions are matched. If an
EtherType access list is configured to deny all, all ethernet frames are
discarded. Only physical protocol traffic, such as auto-negotiation, is still
allowed.
The ipx keyword specifies access to IPX.
The bpdu keyword specifies access to bridge protocol data units, which are
allowed by default.
The mpls-unicast keyword specifies access to MPLS unicast.
The mpls-multicast keyword specifies access to MPLS multicast.
The is-is keyword specifies access to IS-IS traffic (Version 8.4(5) only).
The any keyword specifies access for any traffic.
The hex_number argument indicates any EtherType that can be identified
by a 16-bit hexadecimal number greater than or equal to 0x600. (See RFC
1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list
of EtherTypes.)
Note To remove an EtherType ACE, enter the no access-list command
with the entire command syntax string as it appears in the
configuration.