Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch

OL-11615-01

Step 3 Apply the previously defined ACLs to the desired Layer 2 port using the access-group interface

configuration command:

Switch(config-if)# {ip | mac access-group {

name

number

| in | out}

In the following example an IP ACL and a MAC ACL are defined and applied to interface FastEthernet

6/1. The IP ACL, called simple-ip-acl, is configured to permit all TCP traffic and implicitly deny all

other IP traffic. The MAC ACL, simple-mac-acl, is configured to permit source host 000.000.011 to any

destination host. Finally, PACL mode is set prefer port:

Switch(config)# ip access-list extended simple-ip-acl

Switch(config-ext-nacl)# permit tcp any any

Switch(config-ext-nacl)# end

Switch(config)# mac access-list extended simple-mac-acl

Switch(config-ext-macl)# permit host 000.000.011 any

Switch(config-ext-macl)# end

Switch(config)# interface FastEthernet 6/1

Switch(config-if)# access-group mode prefer port

Switch(config-if)# ip access-group simple-ip-acl in

Switch(config-if)# mac access-group simple-mac-acl in

For more information on how to configure PACLs on Catalyst 4500 running Cisco IOS, refer to the

following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/secure.htm#wp1071428

Unicast MAC Address Filtering (MAC Address-Based Traffic Blocking)

Unicast MAC address filtering, also known as MAC address-based traffic blocking, is an available

feature on Catalyst 6500 and 4500 Series switches running Cisco IOS software that provides alternative

filtering based on MAC addresses. Unicast MAC address filtering allows the definition of filter rules that

are run in hardware and that block all unicast traffic to and from a particular MAC address in a given

VLAN. This feature can be used in conjunction with other VLAN-based ACLs, but a unicast MAC

address filter takes precedence.

To block all unicast traffic to and from a particular MAC address in a specific VLAN, use the

mac-address-table command:

Switch(config)# mac-address-table static

mac_address

vlan

vlan_ID

drop

This example shows how to block all unicast traffic to and from MAC address 0050.3e8d.6400 in

VLAN

12:

Switch# configure terminal

Switch(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop

For more information on how to configure MAC address-based traffic blocking on Catalyst 6500 running

Cisco IOS, refer to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/secure.htm#wp1074871

For more information on how to configure unicast MAC address filtering on Catalyst 4500 running Cisco

IOS, refer to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/secure.htm#wp1066708