Cisco Systems BC-23 Setting Filters at the MAC Layer

Configuring Transparent Bridging

Transparent and SRT Bridging Configuration Task List

BC-46

Cisco IOS Bridging and IBM Networking Configuration Guide

•Setting Filters at the MAC Layer, page46

•Filtering LAT Service Announcements, page51

Note When setting up administrative filtering, remember that there is virtually no performance

penalty in filtering by Media Access Control (MAC) address or vendor code, but there can

be a significant performance penalty when filtering by protocol type.

When configuring transparent bridging access control, keep the following points in mind:

•You can assign only one access list to an interface.

•The conditions in the access list are applied to all outgoing packets not sourced by the Cisco IOS

software.

•Access lists are scanned in the order you enter them; the first match is used.

•An implicit deny everything entry is automatically defined at the end of an access list unless you

include an explicit permit everything entry at the end of the list.

•All new entries to an existing list are placed at the end of the list. You cannot add an entry to the

middle of a list. This means that if you have previously included an explicit permit everything entry,

new entries will never be scanned. The solution is to delete the access list and retype it with the new

entries.

•You can create extended access lists to specify more detailed filters, such as address match only.

•You should not use extended access lists on FDDI interfaces doing transit bridging as opposed to

translational bridging.

•Configuring bridging access lists of type 700 may cause a momentary interruption of traffic flow.

For more information on access lists, refer to the “Traffic Filtering and Firewalls” chapter of the Cisco

IOS Security Configuration Guide.

Setting Filters at the MAC Layer

You can filter transmission of frames at the MAC layer by performing tasks in one of the following

sections:

•Filtering by Specific MAC Address

•Filtering by Vendor Code

•Filtering by Protocol Type

When filtering by a MAC-layer address, you can use two kinds of access lists: standard access lists that

specify a simple address, and extended access lists that specify two addresses. You can also further

restrict access by creating filters for these lists. After you have completed one of the preceding tasks,

perform the task in the following section:

•Defining and Applying Extended Access Lists

Note MAC addresses on Ethernets are “bit swapped” when compared with MAC addresses on

TokenRing and FDDI. For example, address 0110.2222.3333 on Ethernet is

8008.4444.CCCC on Token Ring and FDDI. Access lists always use the canonical Ethernet

representation. When using different media and building access lists to filter on MAC

addresses, keep this point in mind. Note that when a bridged packet traverses a serial link,

it has an Ethernet-style address.