Configuring Access Control Lists access-list mac
34-8
Defaults
If insert, replace, or move are not specified, the new entry will be appended to the access list.
If source2 is not specified with move, only one entry will be moved.
If eq port is not specified, TCP/UDP ports are not used for filtering. Only the protocol, source, and
destination are used for applying the rule.
Mode
Global configuration: C3(su)->router(Config)#
Usage
Extended access lists are applied to VLAN interfaces by using the ip access-group command
(page 34-12) and to ports with the access-list interface command (page 34-14).
Valid access-list-numbers for extended ACLs are 100 to 199. For standard ACLs, valid values are 1
to 99.
All access lists have an implicit “deny any any” statment as their last entry.
Examples
This example shows how to define access list 145 to deny ICMP transmissions from any source
and for any destination:
C3(su)->router(Config)#access-list 145 deny ICMP any any
This example appends to access list 145 a permit statement that allows the host with IP address
88.255.255.254 to do an SSH remote login to any destination on TCP port 22.
C3(su)->router(Config)#access-list 145 permit tcp host 88.255.255.254 any eq 22
This example appends to access list 145 a permit statement that allows SNMP control traffic (from
UDP port 161) to be sent from IP addresses within the range defined by 88.255.128.0 0.0.127.255
to any destination.
C3(su)->router(Config)#access-list 145 permit udp 88.255.128.0 0.0.127.255 eq 161
any
access-list mac
Use this command to define a MAC-based access list when operating in router mode. In order to
create a MAC-based access list, the switch must be put into access list “ipv6mode” with the
access-list ipv6mode command.
The no form of this command removes the defined access list or entry.
Syntax
To create a MAC-based ACL entry:
access-list mac name {deny | permit} {srcmac | any} {destmac | any} [ethertype
ethertype] [vlan vlan-id] [priority pri] [assign-queue queue-id]
no access-list mac name [entryno [entryno]]
To insert or replace an ACL entry:
access-list mac name insert | replace entryno {deny | permit} {srcmac | any}
{destmac | any} [ethertype ethertype] [vlan vlan-id] [priority pri] [assign-queue
queue-id]
To Next Page
Loading...
Need help?
General