Configure MAC Extended ACL Example
Network Requirements
- PC1, PC2, and IP Phone are connected to IP Network via Device1.
- Configure the MAC extended ACL rule on Device2, realizing that the user of VLAN2 cannot access IP Network, and except for the voice users, the other users of VLAN3 all can access IP Network.
Network Topology
Figure 15–4 Networking of configuring the MAC extended ACL
Configuration Steps
Step 1: Configure the link type of VLAN and port on Device2.
#Create VLAN2 and VLAN3.
Devic2e#configure terminal
Device2(config)#vlan 2
Device2(config-vlan2)#exit
Device2#configure terminal
Device2(config)#vlan 3
Device2(config-vlan3)#exit
|
#Configure the link type of port gigabitethernet0/1 as Trunk, permitting the services of VLAN2 and VLAN3 to pass.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#switchport mode trunk
Device2(config-if-gigabitethernet0/1)#switchport trunk vlan 2-3
Device2(config-if-gigabitethernet0/1)#exit
|
Step 2: Configure the corresponding VLAN interface and IP address on Device1 and Device2. (Omitted)
Step 3: Configure Voice-VLAN to set the COS value of the packet from IP Phone as 7 on Device1. (Omitted)
Step 4: Configure the MAC extended ACL.
#Configure the MAC extended ACL with serial number 3001 on Device2.
Device2(config)#mac access-list extended 3001
|
#Configure the rule, preventing the users in VLAN2 from accessing IP Network.
Devic2(config-ext-mac-nacl)#deny any any vlan-id 2
|
#Configure the rule, preventing the voice users in VLAN3 from accessing IP Network.
Device2(config-ext-mac-nacl)#deny any any cos 7 vlan-id 3
|
#Configure the rule, permitting the other users in VLAN3 to access IP Network.
Device2(config-ext-mac-nacl)#permit any any vlan-id 3
|
#Submit the configured rule
Device2(config-ext-nacl)#commit
|
#View the information of the ACL with serial number 3001 on Device2.
Device2#show access-list 3001 mac access-list extended 3001
10 deny any any vlan-id 2
20 deny any any cos 7 vlan-id 3
30 permit any any vlan-id 3
Step 5: Configure applying the MAC extended ACL.
#Apply the MAC extended ACL with serial number 3001 to the ingress of the port gigabitethernet0/1 on Device2.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#mac access-group 3001 in
Device2(config-if-gigabitethernet0/1)#exit
|
#View the information of the ACL applied to the port on Device2.
Device#show acl-object interface
-----------Interface-----Bind-----Instance
Interface----------------Direction----AclType----AclName
gi0/1 IN MAC 3001
-----------Interface-----Bind-----Instance
Interface VlanId---------Direction----AclType----AclName
Step 6: Check the result.
#PC2 can access IP Network; PC1 and IP Phone cannot access IP Network.
-
For the configuration of Voice-VLAN, refer to the Voice-VLAN chapter of the configuration manual.