62-18
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring Named IPv6 ACLs
EtherType matching allows you to classify tagged and untagged IP packets based on the EtherType
value. Tagged packets present a potential operation problem:
• While single-tagged packets are supported on the access and trunk ports, double-tagged packets are
not.
• Single and double-tagged packets are not supported if the port mode is dot1qtunnel.
For more information about the mac access-list extended command, refer to the Catalyst 4500 Series
Switch Cisco IOS Command Reference.
To create a named MAC extended ACL, perform this task:
This example shows how to create and display an access list named matching, permitting the 0x8863 and
0x8040 EtherType values:
Switch(config)# mac access-list extended matching
Switch(config-ext-macl)# permit any any 0x8863
Switch(config-ext-macl)# permit any any 0x8040
Switch(config-ext-macl)# end
Switch # show access-lists matching
Extended MAC access list matching
permit any any 0x8863
permit any any netbios
Switch #
Configuring Named IPv6 ACLs
Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E, Supervisor Engine 7L-E, and
Supervisor Engine 8-E support hardware-based IPv6 ACLs to filter unicast, multicast and broadcast IPv6
traffic on Layer 2 and Layer 3 interfaces. You can only configure such access lists on Layer 3 interfaces
that are configured with an IPv6 address.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# [no] mac access-list
extended name
Defines an extended MAC access list using a name.
To delete the entire ACL, use the no mac access-list extended
name global configuration command. You can also delete
individual ACEs from named MAC extended ACLs.
Step 3
Switch(config-ext-macl)# {deny | permit}
{any | host source MAC address | source
MAC address mask} {any | host destination
MAC address | destination MAC address
mask} [protocol-family {appletalk |
arp-non-ipv4 | decnet | ipx | ipv6 (not
supported on Sup 6-E and 6L-E)| rarp-ipv4
| rarp-non-ipv4 | vines | xns} |
ethertype]
In extended MAC access-list configuration mode, specify to
permit or deny any based upon the EtherTypes value, valid values
are 15636-65535.
Note You can specify matching by either EtherType or protocol
family but not both.
Step 4
Switch(config-ext-macl)# end
Returns to privileged EXEC mode.
Step 5
Switch# show access-lists [number | name]
Shows the access list configuration.
Step 6
Switch(config)# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
To Next Page
Loading...
