Cisco Catalyst 2950 - Creating Named MAC Extended Acls

To Next Page

To Previous Page

12-20

Catalyst 2950 Desktop Switch Software Configuration Guide

78-11380-03

Chapter12 Configuring Network Security with ACLs

Configuring ACLs

Commented IP ACL Entry Examples

In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the

workstation belonging to Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 permit 171.69.2.88

Switch(config)# access-list 1 remark Do not allow Smith workstation through

Switch(config)# access-list 1 deny 171.69.3.13

In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the

Web:

Switch(config)# access-list 100 remark Do not allow Winter to browse the web

Switch(config)# access-list 100 deny host 171.69.3.85 any eq www

Switch(config)# access-list 100 remark Do not allow Smith to browse the web

Switch(config)# access-list 100 deny host 171.69.3.13 any eq www

In this example of a named ACL, the Jones subnet is not allowed access:

Switch(config)# ip access-list standard prevention

Switch(config-std-nacl)# remark Do not allow Jones subnet through

Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255

In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC

extended ACLs. The procedure is similar to that of configuring other extended named access lists.

Note NamedMACextendedACLsareusedasapartofthemac access-group privileged EXEC command.

For more information about the supported non-IP protocols in the mac access-list extended command,

refer to the Catalyst 2950 Desktop Switch Command Reference for this release.

Note Though visible in the command-line help strings, appletalk is not supported as a matching condition for

the deny and permit MAC access-list configuration mode commands, nor is matching on any

SNAP-encapsulated packet with a non-zero Organizational Unique Identifier (OUI).

Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

mac access-list extended name Define an extended MAC access list by using a name.

Other manuals for Cisco Catalyst 2950