Access Control Lists
3-85
3
CLI – This example shows how to create an Ingress MAC ACL and bind it to a port.
You can then see that the order of the rules have been changed by the mask.
Binding a Port to an Access Control List
After configuring the Access Control Lists (ACL), you can bind the ports that need to
filter traffic to the appropriate ACLs. You can only bind a port to one ACL for each
basic type – IP ingress, IP egress, MAC ingress and MAC egress.
Command Usage
• You must configure a mask for an ACL rule before you can bind it to a port.
• This switch supports ACLs for both ingress and egress filtering. However, you can
only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one
IP ACL and one MAC ACL to any port for egress filtering. In other words, only four
ACLs can be bound to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC
ACL and Egress MAC ACL.
• When an ACL is bound to an interface as an egress filter, all entries in the ACL
must be deny rules. Otherwise, the bind operation will fail.
• The switch does not support the explicit “deny any any” rule for the egress IP ACL
or the egress MAC ACLs. If these rules are included in the ACL, and you attempt
to bind the ACL to an interface for egress checking, the bind operation will fail.
Command Attributes
• Port – Fixed port or SFP module. (Range: 1-26)
• IP – Specifies the IP ACL to bind to a port.
• MAC – Specifies the MAC ACL to bind to a port.
• IN – ACL for ingress packets.
• OUT – ACL for egress packets.
• ACL Name – Name of the ACL.
Console(config)#access-list mac M4 4-126
Console(config-mac-acl)#permit any any 4-127
Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11
ff-ff-ff-ff-ff-ff any vid 3 4-127
Console(config-mac-acl)#end
Console#show access-list 4-136
MAC access-list M4:
permit any any
deny tagged-eth2 host 00-11-11-11-11-11 any vid 3
Console(config)#access-list mac mask-precedence in 4-129
Console(config-mac-mask-acl)#
mask pktformat ff-ff-ff-ff-ff-ff any vid
4-130
Console(config-mac-mask-acl)#exit
Console(config)#interface ethernet 1/12 4-151
Console(config-if)#mac access-group M4 in 4-132
Console(config-if)#end
Console#show access-list
MAC access-list M4:
deny tagged-eth2 host 00-11-11-11-11-11 any vid 3
permit any any
MAC ingress mask ACL:
mask pktformat host any vid
Console#
To Next Page
Loading...
Need help?
General