Cisco Systems 2960 Manual De Usuario
31-23
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 31 Configuring Network Security with ACLs
Creating Named MAC Extended ACLs
Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.
can also delete individual ACEs from named MAC extended ACLs.
This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.
DECnet Phase IV traffic, but permitting all other types of traffic.
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
10 deny any any decnet-iv
20 permit any any
Applying a MAC ACL to a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in
that interface. When you apply the MAC ACL, consider these guidelines:
that interface. When you apply the MAC ACL, consider these guidelines:
•
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
•
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Step 3
{deny | permit} {any | host source MAC
address | source MAC address mask} {any |
host destination MAC address | destination
MAC address mask} [type mask | lsap lsap mask
| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo |vines-ip |
xns-idp | 0-65535] [cos cos]
address | source MAC address mask} {any |
host destination MAC address | destination
MAC address mask} [type mask | lsap lsap mask
| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo |vines-ip |
xns-idp | 0-65535] [cos cos]
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
(Optional) You can also enter these options:
•
type mask—An arbitrary EtherType number of a packet with
Ethernet II or SNAP encapsulation in decimal, hexadecimal,
or octal with optional mask of don’t care bits applied to the
EtherType before testing for a match.
Ethernet II or SNAP encapsulation in decimal, hexadecimal,
or octal with optional mask of don’t care bits applied to the
EtherType before testing for a match.
•
lsap lsap mask—An LSAP number of a packet with
IEEE 802.2 encapsulation in decimal, hexadecimal, or octal
with optional mask of don’t care bits.
IEEE 802.2 encapsulation in decimal, hexadecimal, or octal
with optional mask of don’t care bits.
•
aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
etype-6000 | etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios | vines-echo |vines-ip
| xns-idp—A non-IP protocol.
etype-6000 | etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios | vines-echo |vines-ip
| xns-idp—A non-IP protocol.
•
cos cos—An IEEE 802.1Q cost of service number from 0 to 7
used to set priority.
used to set priority.
Step 4
end
Return to privileged EXEC mode.
Step 5
show access-lists [number | name]
Show the access list configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose