28-28
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter28 Configuring Network Security with ACLs
Creating Named MAC Extended ACLs
Applying a MAC ACL to a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interfa ce t o filter non -I P tra ffic coming in
that interface. When you apply the MAC ACL, consider these guidelines:
If you apply an ACL to a Layer 2 interface that is a memb er o f a VL AN , th e La yer 2 (po rt) ACL
takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applie d
to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
You can apply no more than one IP access list and one MA C access list to the same La yer 2 interfac e.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
A Layer 2 interface can have only one MAC access list. If you appl y a MA C acce ss list to a Lay er2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to
a Layer 2 interface:
To remove the specified access group, use the no mac access-group {name} interface configuration
command.
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/2
Router(config-if)# mac access-group mac1 in
Note The mac access-group interface configuration command is only valid when applied to a physical
Layer 2 interface.You cannot use the command on EtherChannel port channels.
After receiving a packet, the switch checks it against the inbound A C L. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When yo u apply an
undefined ACL to an interface, the switch acts as if the A CL has no t been applie d and permits a ll packets.
Remember this behavior if you use undefined ACLs for network security.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 interface interface-id Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Step3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and
NNIs are enabled.
Step4 mac access-group {name} {in} Control access to the specified interface by using the MAC access
list.
Note Port ACLs are supported only in the inbound direction.
Step5 end Return to privileged EXEC mode.
Step6 show mac access-group [interface interface-id] Display the MAC access list applied to the interface or all Layer 2
interfaces.
Step7 copy running-config startup-config (Optional) Save your entries in the configuration file.