EtherType ACL on IOS Router

sasha · ‎01-29-2020

Hi. How to create an access list which filters out Layer2 packets with specific ethertype on a Cisco IOS router (probably 800 series with IOS 15.x)?

Here's how we do it on an IOS switch:

mac access-list extended ipc
deny any any 0x1515 0x0
deny any any 0x1516 0x0
permit any any

interface FastEthernet0/1
mac access-group ipc in

But how to do that on an IOS router? If I use e.g. access-list 1100, is "0.0.0" alias for "any", and which is the offset? Or, is there some other way? Thanks and best regards.

pieterh · ‎01-30-2020

Hmmmm….

first what comes up is
switch -> L2 device versus router -> L3 device, so it may be there is no corresponding ACL on a router,

quick search found this document for ASA ethertype ACL

but I keep searching and let you know.

sasha · ‎02-08-2020

So, let me answer to myself :-) . Here's the equivalent Ethertype ACL on an IOS router:

access-list 200 deny 0x1515 0x0000
access-list 200 deny 0x1516 0x0000
access-list 200 permit 0x0000 0x0000

Commands to implement that ACL on an interface:

bridge-group 1
bridge-group 1 input-type-list 200

The same effect can be accomplished with an extended MAC ACL, because Ethertype is on offset 12 (0xC) from dst address and it's 2 bytes long:

access-list 1100 deny 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff 0xC 2 eq 0x1515
access-list 1100 deny 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff 0xC 2 eq 0x1516
access-list 1100 permit 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff

Commands to implement that ACL on an interface:

bridge-group 1
bridge-group 1 input-pattern-list 1100

But that doesn't solve our problem, because we need to filter traffic going to a Layer 2 tunnel! I'll post another question regarding that, because it's out of scope of this title. But is there any way to implement Ethertype ACL to a physical interface, not to a bridge group? Thanks.