564 Configuring Access Control Lists
Configuring a MAC ACL
Beginning in Privileged EXEC mode, use the following commands to create
an MAC ACL, configure rules for the ACL, and bind the ACL to an interface.
CTRL + Z Exit to Privileged EXEC mode.
show ip access-lists
[
name
]
Display all IPv4 access lists and all of the rules that are
defined for the IPv4 ACL. Use the optional
name
parameter to identify a specific IPv4 ACL to display.
Command Purpose
configure Enter global configuration mode.
mac access-list extended
name
Create a named MAC ACL. This command also enters
MAC Access List Configuration mode. If a MAC ACL
with this name already exists, this command enters the
mode to update the existing ACL.
{deny | permit}
{
srcmac
srcmacmask
|
any} {
dstmac
dstmacmask
| any |
bpdu } [{
ethertypekey
|
0x0600-0xFFFF
}] [vlan
eq
0-4095
] [cos
0-7
]
[secondary-vlan eq
0-
4095
] [secondary-cos
0-7
] [log] [time-range
time-range-name
]
[assign-queue
queue-id
]
[{mirror |redirect}
interface
]
Specify the rules (match conditions) for the MAC access
list.
•
srcmac
— Valid source MAC address in format
xxxx.xxxx.xxxx.
•
srcmacmask
— Valid MAC address bitmask for the source
MAC address in format xxxx.xxxx.xxxx.
•
any
— Packets sent to or received from any MAC address
•
dstmac
— Valid destination MAC address in format
xxxx.xxxx.xxxx.
•
destmacmask
— Valid MAC address bitmask for the
destination MAC address in format xxxx.xxxx.xxxx.
•
bpdu
— Bridge protocol data unit
•
ethertypekey
— Either a keyword or valid four-digit
hexadecimal number. (Range: Supported values are
appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast,
mplsucast, Netbios, novell, pppoe, rarp.)
•
0x0600-0xFFFF
— Specify custom EtherType value
(hexadecimal range 0x0600-0xFFFF)
Command Purpose