Objectives
6-2
MAC ACLs
Layer 3:
IP ACLs
Specialized Layer 3 ACLs
VTY ACLs
SNMP ACLs
Loopback ACLs
6-3
MAC ACLs
Permit or deny traffic based on MAC address
Standard Based on source MAC address
Extended Based on:
Source MAC address
Destination MAC address
Ethernet frame type
Well-known MAC addresses are always permitted
Implicit permit at the end
The maximum size of the MAC ACL table is limited by the memory size on
each system
6-4
MAC ACLs
To configure standard MAC ACLs:
Force10(conf)# mac access-list standard name
Force10(config-std-macl)# seq number {deny | permit} {any
| mac-address mask} [log] [count {bytes}]
To configure extended MAC ACLs:
Force10(conf)# mac access-list extended name
Force10(config-ext-macl)# seq number {deny | permit} {any
| host mac-address | mac-address mac-address-mask} {any
| host mac-address | mac-address mac-address-mask}
[ethertype operator] [log] [monitor] [count [byte]]
To apply MAC ACLs:
Force10(conf-if)# mac access-group name {in [vlan range]
| out}
To show a MAC ACL:
Force10# show mac accounting access-list name
6-5
IP ACLs
Permit or deny traffic based on IP address
Standard Based on source IP address
Extended Based on:
Source IP address
Destination IP address
IP protocol
Implicit deny at the end
Implicit permit option can also be configured
The number of ACLs is dependent on the system memory size
6-6
To Configure IP ACLs
Standard ACL
Force10(conf)# ip access-list standard name
Force10(config-std-nacl)# seq number {deny | permit} {any
| host ip-address | ip-address mask} [log] [count [byte]
Extended ACL
Force10(conf)# ip access-list extended name
Force10(config-ext-nacl)# seq number {deny | permit} {ip
| ip-protocol-number | tcp | udp | etc} {any | host ipaddress | ip-address mask} [{eq | gt | etc} port(s)]
{any | host ip-address | ip-address mask} [{eq | gt |
etc} port(s)] [precedence number] [tos number] [log]
[count [byte]
6-7
IP ACLs
To apply IP ACLs to a physical interface:
Force10(conf-if)# ip access-group name {in | out}
[implicit-permit] [vlan {range}]
ACLs can be applied to a VLAN interface, filtering VLAN traffic on any port in
the VLAN.
Force10(conf-if-vl)# ip access-group name in [implicitpermit] {in | out}
To show an IP ACL:
Force10# show ip accounting access-list name
6-8
VTY ACLs
This is an IP ACL applied to VTY (Telnet) sessions
A Standard IP ACL is used to limit the source IP addresses that can telnet
to the switch
Local authentication will apply to a user command
Remote authentication will apply directly to VTY lines
To configure VTY ACLs with local authentication, configure the command:
Force10(conf)# user name password word access-class aclname
To configure VTY ACLs with remote authentication, configure the line
command:
Force10(conf-line-vty)# access-class acl-name
6-9
6-10
6-11
Summary
6-12