Chapter 31
Configuring Network Security with ACLs
Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to
a Layer 2 interface:
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
mac access-group {name} {in}
Step 4
end
Step 5
show mac access-group [interface interface-id]
Step 6
copy running-config startup-config
To remove the specified access group, use the no mac access-group {name} interface configuration
command.
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# mac access-group mac1 in
The mac access-group interface configuration command is only valid when applied to a physical
Note
Layer 2 interface.You cannot use the command on EtherChannel port channels.
After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
OL-26520-01
Purpose
Enter global configuration mode.
Identify a specific interface, and enter interface configuration
mode. The interface must be a physical Layer 2 interface (port
ACL).
Control access to the specified interface by using the MAC access
list.
Port ACLs are supported only in the inbound direction.
Return to privileged EXEC mode.
Display the MAC access list applied to the interface or all Layer 2
interfaces.
(Optional) Save your entries in the configuration file.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Creating Named MAC Extended ACLs
31-25