01-29-2020 05:31 AM
Hi. How to create an access list which filters out Layer2 packets with specific ethertype on a Cisco IOS router (probably 800 series with IOS 15.x)?
Here's how we do it on an IOS switch:
mac access-list extended ipc
deny any any 0x1515 0x0
deny any any 0x1516 0x0
permit any any
interface FastEthernet0/1
mac access-group ipc in
But how to do that on an IOS router? If I use e.g. access-list 1100, is "0.0.0" alias for "any", and which is the offset? Or, is there some other way? Thanks and best regards.
01-30-2020 03:33 AM
Hmmmm….
first what comes up is
switch -> L2 device versus router -> L3 device, so it may be there is no corresponding ACL on a router,
quick search found this document for ASA ethertype ACL
but I keep searching and let you know.
02-08-2020 12:44 PM
So, let me answer to myself :-) . Here's the equivalent Ethertype ACL on an IOS router:
access-list 200 deny 0x1515 0x0000
access-list 200 deny 0x1516 0x0000
access-list 200 permit 0x0000 0x0000
Commands to implement that ACL on an interface:
bridge-group 1
bridge-group 1 input-type-list 200
The same effect can be accomplished with an extended MAC ACL, because Ethertype is on offset 12 (0xC) from dst address and it's 2 bytes long:
access-list 1100 deny 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff 0xC 2 eq 0x1515
access-list 1100 deny 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff 0xC 2 eq 0x1516
access-list 1100 permit 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff
Commands to implement that ACL on an interface:
bridge-group 1
bridge-group 1 input-pattern-list 1100
But that doesn't solve our problem, because we need to filter traffic going to a Layer 2 tunnel! I'll post another question regarding that, because it's out of scope of this title. But is there any way to implement Ethertype ACL to a physical interface, not to a bridge group? Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide