beautypg.com

Creating named mac extended acls, Creating named mac extended – IBM 12.1(22)EA6 User Manual

Page 401

background image

22-17

Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide

24R9746

Chapter 22 Configuring Network Security with ACLs

Configuring ACLs

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC
extended ACLs. The procedure is similar to that of configuring other extended named access lists.

Note

Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.

For more information about the supported non-IP protocols in the mac access-list extended command,
see the command reference for this release.

Note

Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identifier (OUI) is
not supported.

Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Use the no mac access-list extended name global configuration command to delete the entire ACL. You
can also delete individual ACEs from named MAC extended ACLs.

This example shows how to create and display an access list named mac1, denying only EtherType
DECnet Phase IV traffic, but permitting all other types of traffic.

Switch(config)# mac access-list extended mac1

Switch(config-ext-macl)# deny any any decnet-iv

Switch(config-ext-macl)# permit any any

Switch(config-ext-macl)# end

Switch # show access-list

Extended MAC access list mac1

deny any any decnet-iv

permit any any

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

mac access-list extended name

Define an extended MAC access list by using a name.

Step 3

{deny | permit} {any | host source MAC
address} {any | host destination MAC address}
[aarp | amber | appletalk | dec-spanning |
decnet-iv | diagnostic | dsm | etype-6000 |
etype-8042 | lat | lavc-sca | mop-console |
mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp]

In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address or a specific host source
MAC address and any destination MAC address.

(Optional) You can also enter these options:

aarp | amber | appletalk | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca |
mop-console | mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp—(a non-IP protocol).

Step 4

end

Return to privileged EXEC mode.

Step 5

show access-lists [number | name]

Show the access list configuration.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

See also other documents in the category IBM Computer Accessories: