7.5. Configuring Extern ACL

Overview

Function Introduction

Extend IPv4 ACL combines MAC filters with IP filters in one access list. Different from MAC and IP ACL, extend ACL can access-control all packets (IP packets and non-IP packets). Extend ACL supported extend IPv4 ACL.

Principle Description

Following is a brief description of terms and concepts used to describe the extend ACL

Extend IPv4 ACL Extend IPv4 ACL takes advantages of MAC ACL and IPv4 ACL, which combines MAC ACE with IPv4 ACE in an ACL to provide more powerful function of access-controlling traverse packets.
MAC ACE Filter packets by mac-sa and mac-da, and the mac-address can be masked, or configured as host id, or configured as any to filter all MAC addresses. Other L2 fields, such as COS, VLAN-ID, INNER-COS, INNER-VLAN-ID, L2 type, L3 type, can also be filtered by MAC ACE.
IPv4 ACE Filter packets by ip-sa and ip-da, and ip-address can be masked, or configured as host id, or configured as any to filter all IPv4 address. Other L3 fields such as DSCP, L4 protocol and L4 fields, such as TCP port, UDP port, can also be filtered by IPv4 ACE.

The MAC ACE and IPv4 ACE in an extend IPv4 ACL can be configured alternately in arbitrary order which is completely specified by user.

Configuration

In this example, use extend IPv4 ACL on interface eth-0-1, to permit packets with source mac 0000.0000.1111 and cos value of 2, permit all TCP packets, and deny any other packets.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Create access list

Switch(config)# ip access-list ipxacl extend
Switch(config-ex-ip-acl)# permit src-mac host 0000.0000.1111 dest-mac any cos 2
Switch(config-ex-ip-acl)# permit tcp any any
Switch(config-ex-ip-acl)# deny src-mac any dest-mac any
Switch(config-ex-ip-acl)# end

step 3 Create class-map, and bind the access list

Switch(config)# class-map cmap
Switch(config-cmap)# match access-group ipxacl
Switch(config-cmap)# exit

step 4 Create policy-map and bind the class map

Switch(config)# policy-map pmap
Switch(config-pmap)# class cmap
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit

step 5 Apply the policy to the interface

Switch(config)# interface eth-0-1
Switch(config-if)# service-policy input pmap
Switch(config-if)# exit

step 6 Exit the configure mode

Switch(config)# end

step 7 Validation

The result of show running-config is as follows:

Switch# show running-config
ip access-list ipxacl extend
10 permit src-mac host 0000.0000.1111 dest-mac any cos 2
20 permit tcp any any
30 deny src-mac any dest-mac any
 !
class-map match-any cmap
match access-group ipxacl
 !
policy-map pmap
class cmap
 !
interface eth-0-1
service-policy input pmap
 !
Switch# show access-list ip
ip access-list ipxacl extend
10 permit src-mac host 0000.0000.1111 dest-mac any cos 2
20 permit tcp any any
30 deny src-mac any dest-mac any

Application cases

N/A

latest.20241106