Tuesday, May 3, 2011

Switch Port Access Control Lists

Switch port ACLs can only be applied as inbound lists with extended named access lists upon L2 switch interfaces.

MAC extended access lists perform filtering based on the source and destination MAC addresses, as well as the optional EtherType information.
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#mac access-list ?
  extended  Extended Access List

Switch(config)#mac access-list extended ?
  WORD  access-list name

Switch(config)#mac access-list extended example01
Switch(config-ext-macl)#deny any host ?
  H.H.H  48-bit destination MAC address

Switch(config-ext-macl)#deny any host 1111.1111.1111
Switch(config-ext-macl)#permit any any
Switch(config-ext-macl)#^Z
Switch#
Switch#sh access-list
Extended MAC access list example01
    deny   any host 1111.1111.1111
    permit any any
Switch#
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#mac access-group example01 ?
  in  Apply to Ingress

Switch(config-if)#mac access-group example01 in
Switch(config-if)#^Z
Switch#
Switch#sh mac access-group int fa0/1
Interface FastEthernet0/1:
   Inbound access-list is example01
Switch#

The question is do we really want to deny MAC addresses? Deny access based on the EtherType field in the Ethernet frame header is usually the better option.

Blocking 0x0800 would mean blocking all IP traffic, which could be handy in the future when forcing everyone to run IPv6!

MAC access lists can filter traffic based on various EtherType:
Switch(config-ext-macl)#deny any any ?
  <0-65535>     An arbitrary EtherType in decimal, hex, or octal
  aarp          EtherType: AppleTalk ARP
  amber         EtherType: DEC-Amber
  appletalk     EtherType: AppleTalk/EtherTalk
  cos           CoS value
  dec-spanning  EtherType: DEC-Spanning-Tree
  decnet-iv     EtherType: DECnet Phase IV
  diagnostic    EtherType: DEC-Diagnostic
  dsm           EtherType: DEC-DSM
  etype-6000    EtherType: 0x6000
  etype-8042    EtherType: 0x8042
  lat           EtherType: DEC-LAT
  lavc-sca      EtherType: DEC-LAVC-SCA
  lsap          LSAP value
  mop-console   EtherType: DEC-MOP Remote Console
  mop-dump      EtherType: DEC-MOP Dump
  msdos         EtherType: DEC-MSDOS
  mumps         EtherType: DEC-MUMPS
  netbios       EtherType: DEC-NETBIOS
  vines-echo    EtherType: VINES Echo
  vines-ip      EtherType: VINES IP
  xns-idp       EtherType: XNS IDP
  <cr>
Posted by Yap Chin Hoong at 12:35 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)