From: Daniel Free (danrose111@earthlink.net)
Date: Thu May 22 2003 - 15:08:08 GMT-3
Hi Tom,
I have pasted a portion of my notes that will
answer your question. A configuration example
is at the end. Best of luck.
Danny
3550 - Configuring network security with ACLs:
The switch supports two types of ACLs:
? IP ACLs filter IP traffic, including TCP, User Datagram Protocol (UDP),
Internet Group Management Protocol (IGMP), and Internet Control Message
Protocol (ICMP).
? Ethernet or MAC ACLs filter non-IP traffic.
Supported ACLs
The switch supports three applications of ACLs to filter traffic:
? Router ACLs access-control routed traffic between VLANs and are applied to
Layer 3 interfaces. You can apply one router ACL in each direction on an
interface.
? Port ACLs access-control traffic entering a Layer 2 interface. The switch
does not support port ACLs in the outbound direction. You can apply only one
IP access list and one MAC access list to a Layer 2 interface.
VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You
can use VLAN maps to filter traffic between devices in the same VLAN. VLAN
maps are configured to provide access-control based on Layer 3 addresses for
IP. Unsupported protocols are access-controlled through MAC addresses by
using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets
(routed or bridged) entering the VLAN are checked against the VLAN map.
Packets can either enter the VLAN through a switch port or through a routed
port after being routed.
Port ACLs
You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are
supported on physical interfaces only and not on EtherChannel interfaces.
Port ACLs are applied on interfaces for inbound traffic only. These access
lists are supported on Layer 2 interfaces:
? Standard IP access lists using source addresses
? Extended IP access lists using source and destination addresses and
optional protocol type information
? MAC extended access lists using source and destination MAC addresses and
optional protocol type information
VLAN Maps
VLAN maps can access-control all traffic. You can apply VLAN maps on the
switch to all packets that are routed into or out of a VLAN or are bridged
within a VLAN. VLAN maps are used strictly for security packet filtering.
Unlike router ACLs, VLAN maps are not defined by direction (input or
output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All
non-IP protocols are access-controlled through MAC addresses and Ethertype
using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.)
You can enforce VLAN maps only on packets going through the switch; you
cannot enforce VLAN maps on traffic between hosts on a hub or on another
switch connected to this switch.
Configuration Example:
!
Block Ethernet type 6000 traffic on port fa0/15
!3550
#mac access-list extended block6000
#deny any any etype-6000
#permit any any 0x0 0xFFFF
!
int fa0/15
mac access-group block6000 in
----- Original Message -----
From: "Tom Young" <gitsyoung@yahoo.co.jp>
To: <ccielab@groupstudy.com>
Sent: Thursday, May 22, 2003 11:48 AM
Subject: access-list for deny a ether type
> hi, group
>
> How to make a access-list to deny a ether type, for
> example I don't want to all the ether type 3550 frame out
> of my ether-port. How to do this?
>
> Thanks alot
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! BB is Broadband by Yahoo! http://bb.yahoo.co.jp/
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:46 GMT-3