Configuring LAN Interfaces
Configuring a LAN Extender Interface
The major reason to create access lists on a LAN Extender interface is to prevent traffic that is local to the remote Ethernet LAN from traversing the WAN and reaching the core router. You can filter packets by MAC address, including vendor code, and by Ethernet type code. To define filters on the LAN Extender interface, perform the tasks described in one or both of the following sections:
•Filtering by MAC Address and Vendor Code
•Filtering by Protocol Type
Note When setting up administrative filtering, remember that there is virtually no performance penalty when filtering by vendor code, but there can be a performance penalty when filtering by protocol type.
When defining access lists, keep the following points in mind:
•You can assign only one vendor code access list and only one protocol type access list to an interface.
•The conditions in the access list are applied to all outgoing packets from the LAN Extender.
•The entries in an access list are scanned in the order you enter them. The first entry that matches the outgoing packet is used.
•An implicit “deny everything” entry is automatically defined at the end of an access list unless you include an explicit “permit everything” entry at the end of the list. This means that unless you have an entry at the end of an access list that explicitly permits all packets that do no match any of the other conditions in the access list, these packets will not be forwarded out the interface.
•All new entries to an existing list are placed at the end of the list. You cannot add an entry to the middle of a list.
•If you do not define any access lists on an interface, it is as if you had defined an access lists with only a “permit all” entry. All traffic passes across the interface.
Filtering by MAC Address and Vendor Code
You can create access lists to administratively filter MAC addresses. These access lists can filter groups of MAC addresses, including those with particular vendor codes. There is no noticeable performance loss in using these access lists, and the lists can be of indefinite length.
You can filter groups of MAC addresses with particular vendor codes by creating a vendor code access list and then by applying an access list to an interface.
To create a vendor code access list, use the following command in global configuration mode:
Command | Purpose |
|
|
Creates an access list to filter frames by canonical | |
{permit deny} address mask | address. |
|
|
Note Token Ring and FDDI networks swap their MAC address bit ordering, but Ethernet networks do not. Therefore, an access list that works for one medium might not work for others.
Cisco IOS Interface Configuration Guide