Cisco Systems BC-23

Configuring Transparent Bridging

Transparent and SRT Bridging Configuration Task List

BC-48

Cisco IOS Bridging and IBM Networking Configuration Guide

Filtering by Protocol Type

You can filter by protocol type by using the access-list mechanism and specifying a protocol type code.

To filter by protocol type, perform the first task and one or more of the other tasks that follow:

•Establish a protocol type access list

•Filter Ethernet- and SNAP-encapsulated packets on input

•Filter Ethernet- and SNAP-encapsulated packets on output

•Filter IEEE 802.2-encapsulated packets on input

•Filter IEEE 802.2-encapsulated packets on output

Note It is a good idea to have both input and output type code filtering on different interfaces.

The order in which you enter access-list commands affects the order in which the access conditions are

checked. Each condition is tested in succession. A matching condition is then used to execute a permit

or deny decision. If no conditions match, a “deny” decision is reached.

Note Protocol type access lists can have an impact on system performance; therefore, keep the

lists as short as possible and use wildcard bit masks whenever possible.

Access lists for Ethernet- and IEEE 802.2-encapsulated packets affect only bridging functions. It is not

possible to use such access lists to block frames with protocols that are being routed.

You can establish protocol type access lists. Specify either an Ethernet type code for

Ethernet-encapsulated packets or a DSAP/SSAP pair for 802.3 or 802.5-encapsulated packets. Ethernet

type codes are listed in the “Ethernet Type Codes” appendix of the Cisco IOS Bridging and IBM

Networking Command Reference, Volume I.

To establish protocol type access lists, use the following command in global configuration mode:

You can filter Ethernet- and SNAP-encapsulated packets on input. For SNAP-encapsulated frames, the

access list you create is applied against the two-byte TYPE field given after the DSAP/SSAP/OUI fields

in the frame. The access list is applied to all Ethernet and SNAP frames received on that interface prior

to the bridge learning process. SNAP frames also must pass any applicable IEEE 802.2 DSAP/SSAP

access lists.

You can also filter Ethernet- and SNAP-encapsulated packets on output. The access list you create is

applied just before sending out a frame to an interface.

Command Purpose

bridge-group bridge-group input-address-list

access-list-number

Assigns an access list to an interface for filtering by MAC source

addresses.

bridge-group bridge-group

output-address-list access-list-number

Assigns an access list to an interface for filtering by the MAC

destination addresses.

Command Purpose

access-list access-list-number {permit |

deny} type-code wild-mask

Prepares access control information for filtering frames by protocol

type.