Adding ethertype access lists – Cisco ASA 5505 User Manual

Page 397

Advertising
background image

16-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 16 Adding an EtherType Access List

Configuring EtherType Access Lists

Step 1

Create an access list by adding an ACE and applying an access list name, as shown in the

“Adding

EtherType Access Lists” section on page 16-3

.

Step 2

Apply the access list to an interface. (See the

“Configuring Access Rules” section on page 34-7

for more

information.)

Adding EtherType Access Lists

To configure an access list that controls traffic based upon its EtherType, perform the following steps:

Detailed Steps

Command

Purpose

access-list

access_list_name ethertype

{deny | permit} {ipx | bpdu | mpls-unicast

| mpls-multicast | is-is | any |

hex_number}

Example:

hostname(config)# hostname(config)#

access-list ETHER ethertype permit ipx

Adds an EtherType ACE.

The access_list_name argument lists the name or number of an access list.
When you specify an access list name, the ACE is added to the end of the
access list. Enter the access_list_name in upper case letters so that the
name is easy to see in the configuration. You might want to name the access
list for the interface (for example, INSIDE) or for the purpose (for
example, MPLS or PIX).

The permit keyword permits access if the conditions are matched.

The deny keyword denies access if the conditions are matched. If an
EtherType access list is configured to deny all, all ethernet frames are
discarded. Only physical protocol traffic, such as auto-negotiation, is still
allowed.

The ipx keyword specifies access to IPX.

The bpdu keyword specifies access to bridge protocol data units, which are
allowed by default.

The mpls-unicast keyword specifies access to MPLS unicast.

The mpls-multicast keyword specifies access to MPLS multicast.

The is-is keyword specifies access to IS-IS traffic (Version 8.4(5) only).

The any keyword specifies access for any traffic.

The hex_number argument indicates any EtherType that can be identified
by a 16-bit hexadecimal number greater than or equal to 0x600. (See RFC
1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list
of EtherTypes.)

Note

To remove an EtherType ACE, enter the no access-list command
with the entire command syntax string as it appears in the
configuration.

Advertising