Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems IC-23 Filtering by MAC Address and Vendor Code, address, IC-52, Command, Purpose

Models: IC-23

1 46
Download 46 pages 40.2 Kb
Page 30
Image 30
Filtering by MAC Address and Vendor Code

Configuring LAN Interfaces

Configuring a LAN Extender Interface

The major reason to create access lists on a LAN Extender interface is to prevent traffic that is local to the remote Ethernet LAN from traversing the WAN and reaching the core router. You can filter packets by MAC address, including vendor code, and by Ethernet type code. To define filters on the LAN Extender interface, perform the tasks described in one or both of the following sections:

Filtering by MAC Address and Vendor Code

Filtering by Protocol Type

Note When setting up administrative filtering, remember that there is virtually no performance penalty when filtering by vendor code, but there can be a performance penalty when filtering by protocol type.

When defining access lists, keep the following points in mind:

You can assign only one vendor code access list and only one protocol type access list to an interface.

The conditions in the access list are applied to all outgoing packets from the LAN Extender.

The entries in an access list are scanned in the order you enter them. The first entry that matches the outgoing packet is used.

An implicit “deny everything” entry is automatically defined at the end of an access list unless you include an explicit “permit everything” entry at the end of the list. This means that unless you have an entry at the end of an access list that explicitly permits all packets that do no match any of the other conditions in the access list, these packets will not be forwarded out the interface.

All new entries to an existing list are placed at the end of the list. You cannot add an entry to the middle of a list.

If you do not define any access lists on an interface, it is as if you had defined an access lists with only a “permit all” entry. All traffic passes across the interface.

Filtering by MAC Address and Vendor Code

You can create access lists to administratively filter MAC addresses. These access lists can filter groups of MAC addresses, including those with particular vendor codes. There is no noticeable performance loss in using these access lists, and the lists can be of indefinite length.

You can filter groups of MAC addresses with particular vendor codes by creating a vendor code access list and then by applying an access list to an interface.

To create a vendor code access list, use the following command in global configuration mode:

Command

Purpose

 

 

access-listaccess-list-number

Creates an access list to filter frames by canonical (Ethernet-ordered) MAC

{permit deny} address mask

address.

 

 

Note Token Ring and FDDI networks swap their MAC address bit ordering, but Ethernet networks do not. Therefore, an access list that works for one medium might not work for others.

Cisco IOS Interface Configuration Guide

IC-52

Page 29 Page 31
Page 30
Image 30
Cisco Systems IC-23 manual Filtering by MAC Address and Vendor Code, address, IC-52, Command, Purpose
Page 29 Page 31