Support User Manuals

Cisco Systems DOC-7814982 Stereo System User Manual

Open as PDF

of 648

25-18

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 25 Configuring Network Security with ACLs

Configuring ACLs

In this example, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Creating Named MAC Extended ACLs

You can filter Layer 2 traffic on a physical Layer 2 interface by using MAC addresses and named MAC

extended ACLs. The procedure is similar to that of configuring other extended named access lists.

Note Named MAC extended ACLs are used as a part of the mac access-group privileged EXEC command.

For more information about the supported non-IP protocols in the mac access-list extended command,

refer to the command reference for this release.

Note Matching on any SNAP-encapsulated packet with a nonzero Organizational Unique Identifier (OUI) is

not supported.

Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Use the no mac access-list extended name global configuration command to delete the entire ACL. You

can also delete individual ACEs from named MAC extended ACLs.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

mac access-list extended name Define an extended MAC access list by using a name.

Step 3

{deny | permit} {any | host source MAC

address} {any | host destination MAC address}

[aarp | amber | appletalk | dec-spanning |

decnet-iv | diagnostic | dsm | etype-6000 |

etype-8042 | lat | lavc-sca | mop-console |

mop-dump | msdos | mumps | netbios |

vines-echo |vines-ip | xns-idp]

In extended MAC access-list configuration mode, specify to

permit or deny any source MAC address or a specific host source

MAC address and any destination MAC address.

(Optional) You can also enter these options:

aarp | amber | appletalk | dec-spanning | decnet-iv |

diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca |

mop-console | mop-dump | msdos | mumps | netbios |

vines-echo |vines-ip | xns-idp—(a non-IP protocol).

Step 4

end Return to privileged EXEC mode.

Step 5

show access-lists [number | name] Show the access list configuration.

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.

previous next