14-2 MAC Address and Protocol Type Code Access Lists

  • Standard MAC address access lists can be used to match against 48-bit source MAC addresses.

  • Extended MAC address access lists can be used to match against source and destination MAC addresses, as well as a data pattern (up to 4 bytes) at an offset within the packet.

  • Protocol type code access lists match against the 2-byte Ethernet protocol type codes contained in the packet header.

NOTE

Pay attention to the bit ordering that is used when an access list is applied to an interface. For example, an access list that is defined for Ethernet does not produce the same results on Token Ring or FDDI interfaces. This is because the bit ordering of each Token Ring and FDDI byte is reversed from Ethernet. Also, access lists for serial interfaces use Ethernet bit ordering.


Configuration

  1. Define a standard MAC address access list:

     (global)  access-list   acc-list  {  permit   deny  }  address mask  

    The access list number acc-list is in the range of 700 to 799. The address field is a 48-bit MAC address written as three groups of four hex digits separated by dots (such as 0000.1111.2222). The mask field specifies a mask to use for matching multiple addresses. A 1 bit in the mask causes that address bit to be ignored.

  2. Define an extended MAC address access list:

     (global)  access-list  acc-list {  permit   deny  }  source source-mask   destination destination-mask  [  offset size operator operand  ] 

    The access list number acc-list is in the range of 1100 to 1199. Both source and destination MAC addresses ( source and destination ) and masks ( source-mask and destination-mask ) are specified for matching. The addresses are 48-bit MAC addresses written as three groups of four hex digits separated by dots (such as 0000.1111.2222). The mask fields specify masks to use for matching multiple addresses. A 1 bit in the mask causes that address bit to be ignored.

    An additional matching condition can be specified based on a comparison of bytes within the packet. Values can be given as decimal numbers or hex values beginning with 0x. The offset field defines the location of the group of bytes to match against. The offset is given as the number of bytes offset from the destination address in the packet (not from the beginning of the packet). The size field is the number of bytes to compare (1 to 4). The comparison function is given as operator, and can be one of lt (less than), gt (greater than), eq (equal to), neq (not equal to), and (bitwise AND), xor (bitwise exclusive OR), or nop (no operation; compare addresses only). The operand field (decimal, hex with a leading 0x, or octal with a leading 0 format) specifies the value to compare or mask against.

  3. Define a protocol type code access list:

     (global)  access-list   acc-list  {  permit   deny  }  type-code mask  

    The access list number acc-list is in the range of 200 to 299. The type-code field is a 16-bit value that is specified as 0x followed by four hex digits. For Ethernet frames, this value represents the Ethernet type code; for 802.3 or 802.5 frames , it is the DSAP/SSAP pair. The mask is a 16-bit value used for type-code comparison, where a 1 bit indicates a type-code bit that should be ignored.

    NOTE

    The Ethernet type-code values are listed in Appendix K, "Ethernet Type-Codes."

Examples

Access 701 is used to filter packets based on the source MAC address. Addresses 0002.2000.3210 and 0002.2000.3211 are permitted (notice the wildcard 1 bit in the least-significant position), and all other addresses are denied .

  access-list 701 permit 0002.2000.3210 0000.0000.0001   access-list 701 deny 0000.0000.0000 1111.1111.1111  

Access list 1101 is used to filter packets based on extended MAC address options. Packets going from 1111.2222.3333 to 0011.0022.0033 are denied. Packets with a source address of 0101.0202.0303 going to any address are checked for a byte pattern. The pattern begins 60 bytes into the packet and is 2 bytes long. If the pattern equals the hex value 0x0f32, the packet is permitted.

  access-list 1101 deny 1111.2222.3333 0000.0000.0000 0011.0022.0033 0000.0000.0000   access-list 1101 permit 0101.0202.0303 0000.0000.0000 0000.0000.0000 1111.1111.1111   60 2 eq 0x0f32  

Access list 201 is used to permit IP (vendor type 0x0800) and IP ARP (0x0806) packets while all others are denied.

  access-list 201 permit 0x0800 0x0000   access-list 201 permit 0x0806 0x0000  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net