Creating named mac extended acls – Dell POWEREDGE M1000E User Manual

Page 764

Advertising
background image

34-28

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 34 Configuring Network Security with ACLs

Creating Named MAC Extended ACLs

This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0
0.0.0.255 and denies all UDP packets.

Switch(config)# ip access-list extended ext1

Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log

Switch(config-ext-nacl)# deny udp any any log

Switch(config-std-nacl)# exit

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# ip access-group ext1 in

This is a an example of a log for an extended ACL:

01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1

packet

01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7

packets

01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1

packet

01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8

packets

Note that all logging entries for IP ACLs start with

%SEC-6-IPACCESSLOG

with minor variations in format

depending on the kind of ACL and the access entry that has been matched.

This is an example of an output message when the log-input keyword is entered:

00:04:21:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 (Vlan1

0001.42ef.a400) -> 10.1.1.61 (0/0), 1 packet

A log message for the same sort of packet using the log keyword does not include the input interface
information:

00:05:47:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 -> 10.1.1.61 (0/0), 1

packet

Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named
MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.

Note

You cannot apply named MAC extended ACLs to Layer 3 interfaces.

For more information about the supported non-IP protocols in the mac access-list extended command,
see the command reference for this release.

Note

Though visible in the command-line help strings, appletalk is not supported as a matching condition for
the deny and permit MAC access-list configuration mode commands.

Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

mac access-list extended name

Define an extended MAC access list using a name.

Advertising
Popular Brands
Popular manuals