Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure MAC Extended ACL Example

Network Requirements

  • PC1, PC2, and IP Phone are connected to IP Network via Device1.
  • Configure the MAC extended ACL rule on Device2, realizing that the user of VLAN2 cannot access IP Network, and except for the voice users, the other users of VLAN3 all can access IP Network.

Network Topology

Networking of configuring the MAC extended ACL

Figure 15–4 Networking of configuring the MAC extended ACL

Configuration Steps

Step 1: Configure the link type of VLAN and port on Device2.

#Create VLAN2 and VLAN3.

Devic2e#configure terminal
Device2(config)#vlan 2
Device2(config-vlan2)#exit
Device2#configure terminal
Device2(config)#vlan 3
Device2(config-vlan3)#exit

#Configure the link type of port gigabitethernet0/1 as Trunk, permitting the services of VLAN2 and VLAN3 to pass.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#switchport mode trunk
Device2(config-if-gigabitethernet0/1)#switchport trunk vlan 2-3
Device2(config-if-gigabitethernet0/1)#exit

Step 2: Configure the corresponding VLAN interface and IP address on Device1 and Device2. (Omitted)

Step 3: Configure Voice-VLAN to set the COS value of the packet from IP Phone as 7 on Device1. (Omitted)

Step 4: Configure the MAC extended ACL.

#Configure the MAC extended ACL with serial number 3001 on Device2.

Device2(config)#mac access-list extended 3001

#Configure the rule, preventing the users in VLAN2 from accessing IP Network.

Devic2(config-ext-mac-nacl)#deny any any vlan-id 2

#Configure the rule, preventing the voice users in VLAN3 from accessing IP Network.

Device2(config-ext-mac-nacl)#deny any any cos 7 vlan-id 3

#Configure the rule, permitting the other users in VLAN3 to access IP Network.

Device2(config-ext-mac-nacl)#permit any any vlan-id 3

#Submit the configured rule

Device2(config-ext-nacl)#commit

#View the information of the ACL with serial number 3001 on Device2.

Device2#show access-list 3001 mac access-list extended 3001 
 10 deny any any vlan-id 2 
 20 deny any any cos 7 vlan-id 3 
 30 permit any any vlan-id 3 

Step 5: Configure applying the MAC extended ACL.

#Apply the MAC extended ACL with serial number 3001 to the ingress of the port gigabitethernet0/1 on Device2.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#mac access-group 3001 in
Device2(config-if-gigabitethernet0/1)#exit

#View the information of the ACL applied to the port on Device2.

Device#show acl-object interface  
-----------Interface-----Bind-----Instance 	 
Interface----------------Direction----AclType----AclName 
gi0/1                    IN           MAC        3001 
-----------Interface-----Bind-----Instance
Interface VlanId---------Direction----AclType----AclName 

Step 6: Check the result.

#PC2 can access IP Network; PC1 and IP Phone cannot access IP Network.

note


  • For the configuration of Voice-VLAN, refer to the Voice-VLAN chapter of the configuration manual.