ACL
ACL
1. Function Overview
The access list (ACL) is a conditional statement that determines whether to permit or to deny the frame.
If the access list is applied to the interface, only the permitted frame will be transferred, and the denied frame will be discarded.
As this allows for only specified frames to be selected for transfer, this feature is primarily used for security purposes.
This product supports three access list types, as shown in the table below.
-
Access list type
Access list type Deciding criteria Access list ID Purpose of use IPv4 access list
Source IPv4 address
Destination IPv4 address
IP protocol type1–2000
Filters access from specific hosts and networks. Filters specific IP protocol types such as TCP/UDP.
IPv6 access list
Source IPv6 address
3001–4000
Filters access from specific hosts and networks.
MAC access list
Source MAC address
Destination MAC address2001–3000
Filters access and data transfer from specific devices.
2. Definition of Terms Used
ACL
Abbreviation of “Access Control List”.
Wildcard mask
Information that specifies which portion of the specified IPv4 address or MAC address is read. This is used when specifying a range of IPv4 addresses or MAC addresses as ACL conditions.
-
When the wildcard mask bit is “0”: check the corresponding bit
-
When the wildcard mask bit is “1”: do not check the corresponding bit
Examples of settings using wildcard masks are shown below. (The underlined portion is the wildcard mask.)
-
To specify conditions for subnet 192.168.1.0/24: 192.168.1.0 0.0.0.255 (specified in decimal)
-
To specify conditions for vendor code 00-A0-DE---*: 00A0.DE00.0000 0000.00FF.FFFF (specified in hexadecimal)
3. Function Details
3.1. Generate access list
Access lists for the number of IDs in each access list number can be generated. (Refer to the table in 1 Function Overview.)
A maximum of 256 control conditions can be registered per access list.
If the registered control conditions are not satisfied, forwarding occurs as usual.
3.2. Applying to the interface
The following table shows how access lists are applied to the input/output interfaces of this product.
Note that one access list can be applied to the IN and OUT respectively for an interface.
-
Status of access list application to the interface
Access list type
LAN/SFP port
VLAN interface
Static/LACP logical interface
in
out
in
out
in
out
IPv4 access list
Yes
Yes (*)
Yes
Yes (*)
Yes
No
IPv6 access list
Yes
Yes
Yes
Yes
Yes
No
MAC access list
Yes
No
Yes
No
Yes
No
(*) As a limitation, an IPv4 access list that specifies a range of port numbers cannot be applied to the output (out) side of an interface.
The number of access lists that can be applied to the interface depends on the number of control parameters that are registered in the access lists.
On this product, a maximum of 512 control conditions can be registered to the interface.
Applying an access list to the interface will use resources “equivalent to the number of control conditions that are registered in the access list”.
However, control conditions may also be used internally within the system in some cases, and use resources accordingly.
3.3. Settings for the LAN/SFP port and logical interface
The steps for applying an access list to a LAN/SFP port and to a logical interface are shown below.
-
Decide on the filtering parameters, and generate the access list.
-
Add explanatory text as necessary.
-
-
Check the access list.
-
Apply the access list to the LAN/SFP port and logical interface.
-
Check the applied access list.
A list of operation commands is given below.
-
Access list operating commands (when applied to the LAN/SFP port and logical interface)
Access list type Generate access list Check access list Apply access list Check applied access list IPv4 access list
access-list
show access-list
access-group
show access-group
IPv6 access list
access-list
show access-list
access-group
show access-group
MAC access list
access-list
show access-list
access-group
show access-group
3.4. VLAN interface settings
The steps for applying access lists to the VLAN interface are shown below.
-
Decide on the filtering parameters, and generate the access list.
-
Add explanatory text as necessary.
-
-
Check the access list.
-
Generate the VLAN access map.
-
Set the access list for the VLAN access map.
-
Check the VLAN access map.
-
Apply the VLAN access map to the VLAN.
-
Check the VLAN access map that was applied.
The operations in steps 1 and 2 are the same as those shown in 3.2.
The following is a list of operating commands for steps 3. and later.
-
VLAN access map operating command
Access list type VLAN access map generation Settings for access list used with VLAN access map VLAN access map confirmation VLAN access map application Confirmation of the applied VLAN access map IPv4 access list
vlan access-map
match access-list
show vlan access-map
vlan filter
show vlan filter
IPv6 access list
vlan access-map
match access-list
show vlan access-map
vlan filter
show vlan filter
MAC access list
vlan access-map
match access-list
show vlan access-map
vlan filter
show vlan filter
4. Related Commands
Related commands are indicated below.
For details on the commands, refer to the Command Reference.
Operations | Operating commands |
---|---|
Apply IPv4 access list |
access-group |
Generate IPv4 access list |
access-list |
Add IPv4 access list explanatory text |
access-list description |
Apply IPv4 access list |
access-group |
Generate IPv6 access list |
access-list |
Add IPv6 access list explanatory text |
access-list description |
Apply IPv6 access list |
access-group |
Generate MAC access list |
access-list |
Add MAC access list explanatory text |
access-list description |
Apply MAC access list |
access-group |
Show generated access list |
show access-list |
Show access list applied to interface |
show access-group |
Create VLAN access map |
vlan access-map |
Set VLAN access map parameters |
match |
Assign VLAN access map to VLAN |
vlan filter |
Show VLAN access map |
show vlan access-map |
Show VLAN access map filter |
show vlan filter |
5. Examples of Command Execution
5.1. IPv4 access list settings
5.1.1. Example of application to a LAN port
■ Specify host
Set LAN port #1 so that access is only permitted from host: 192.168.1.1 to host: 10.1.1.1.
With #123 as the access list ID, add IPV4-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit any host 192.168.1.1 host 10.1.1.1 (1) Yamaha(config)#access-list 123 deny any any any Yamaha(config)#access-list 123 description IPV4-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (3) IPv4 access list 123 10 permit any host 192.168.1.1 host 10.1.1.1 20 deny any any any Yamaha#
1 Generate access list 2 Add access list explanatory text 3 Check access list -
Apply access list #123 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 123 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv4 access group 123 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the setting indicated above, delete the setting that allows access from host: 192.168.1.1 to host: 10.1.1.1 and add a setting that allows access from host: 192.168.1.1 to host: 10.1.1.2.
-
Temporarily cancel the application of access list #123 from LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#no access-group 123 in (1)
1 Cancel the application of the access list -
Delete, add, and then check the setting in access list #123.
Yamaha(config)#no access-list 123 10 (1) Yamaha(config)#access-list 123 10 permit any host 192.168.1.1 host 10.1.1.2 (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (3) IPv4 access list 123 10 permit any host 192.168.1.1 host 10.1.1.2 20 deny any any any
1 Remove the setting from the access list 2 Add the setting to the access list 3 Check access list -
Apply access list #123 to LAN port #1 again.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 123 in (1)
1 Apply access list
■ Specify network
Set LAN port #1 so that access is only permitted from network: 192.168.1.0/24 to host: 10.1.1.1.
With #123 as the access list ID, add IPV4-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit any 192.168.1.0 0.0.0.255 host 10.1.1.1 (1) Yamaha(config)#access-list 123 deny any any any Yamaha(config)#access-list 123 description IPV4-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show ip access-list (3) IPv4 access list 123 10 permit any 192.168.1.0/24 host 10.1.1.1 20 deny any any any Yamaha#
1 Generate access list 2 Add access list explanatory text 3 Check ACL -
Apply access list #123 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 123 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv4 access group 123 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
The specific procedure is the same as for specifying a host.
5.1.2. Example of application to the VLAN interface
■ Specify host
Set VLAN #1000 so that access is only permitted from host: 192.168.1.1 to host: 10.1.1.1.
We will use access list ID #123.
The VLAN access map to be used will be VAM-002, and access list #123 will be set.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit any host 192.168.1.1 host 10.1.1.1 (1) Yamaha(config)#access-list 123 deny any any any Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (2) IPv4 access list 123 10 permit any host 192.168.1.1 host 10.1.1.1 20 deny any any any
1 Generate access list 2 Check access list -
Generate VLAN access map VAM-002, and set access list #123.
Yamaha(config)#vlan access-map VAM-002 (1) Yamaha(config-vlan-access-map)#match access-list 123 (2) Yamaha(config-vlan-access-map)#end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-002 match ipv4 access-list 123
1 VLAN access map generation 2 Register the access list 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-002 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-002 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-002 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the setting indicated above, delete the setting that allows access from host: 192.168.1.1 to host: 10.1.1.1 and add a setting that allows access from host: 192.168.1.1 to host: 10.1.1.2.
-
Temporarily cancel VLAN access map VAM-002 from being applied to VLAN #1000.
Yamaha(config)#no vlan filter VAM-002 1000 in (1)
1 Cancel the application of a VLAN access map from a VLAN -
Temporarily cancel the access list #123 setting in VLAN access map VAM-002.
Yamaha(config)#vlan access-map VAM-002 (1) Yamaha(config-vlan-access-map)#no match access-list 123 (2)
1 Change the VLAN access map 2 Cancel the registration of access list -
Delete, add, and then check the setting in access list #123.
Yamaha(config)#no access-list 123 10 (1) Yamaha(config)#access-list 123 10 permit any host 192.168.1.1 host 10.1.1.2 (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (3) IPv4 access list 123 10 permit any host 192.168.1.1 host 10.1.1.2 20 deny any any any
1 Remove the setting from the access list 2 Add the setting to the access list 3 Check access list -
Specify the access list #123 setting in VLAN access map VAM-002 again.
Yamaha(config)#vlan access-map VAM-002 (1) Yamaha(config-vlan-access-map)#match access-list 123 (2)
1 Change the VLAN access map 2 Register the access list -
Apply VLAN access map VAM-002 to VLAN #1000 again.
Yamaha(config)#vlan filter VAM-002 1000 in (1)
1 Apply the VLAN access map to the VLAN
■ Specify network
Set VLAN #1000 so that access is only permitted from network: 192.168.1.0/24 to host: 10.1.1.1.
We will use access list ID #123.
The VLAN access map to be used will be VAM-002, and access list #123 will be set.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit any 192.168.1.0 0.0.0.255 host 10.1.1.1 (1) Yamaha(config)#access-list 123 deny any any any Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (2) IPv4 access list 123 10 permit any 192.168.1.0/24 host 10.1.1.1 20 deny any any any
1 Generate access list 2 Check access list -
Generate VLAN access map VAM-002, and set access list #123.
Yamaha(config)#vlan access-map VAM-002 (1) Yamaha(config-vlan-access-map)#match access-list 123 (2) Yamaha(config-vlan-access-map)#end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-002 match ipv4 access-list 123
1 VLAN access map generation 2 Register the access list 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-002 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-002 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-002 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
The specific procedure is the same as for specifying a host.
5.1.3. Allowing only TCP communication from one direction (example using TCP flags)
Given VLAN10 and VLAN20, this example controls TCP communication so that it occurs in one direction.
-
Communication from VLAN10 to VLAN20 is possible by Telnet, etc.
-
Communication from VLAN20 to VLAN10 is not possible by Telnet, etc.
-
Generate access list #1.
Specify settings that only allow IPv4 TCP packets with an ACK or RST flag.Yamaha(config)#access-list 1 permit tcp any any ack (1) Yamaha(config)#access-list 1 permit tcp any any rst Yamaha(config)#access-list 1 deny any any any Yamaha(config)#end Yamaha# Yamaha#show access-list (2) IPv4 access list 1 10 permit tcp any any ack 20 permit tcp any any rst 30 deny any any any
1 Configure access list settings 2 Check access list settings -
Generate VLAN access map VAM-ESTABLISHED and specify access list #1.
Yamaha(config)#vlan access-map VAM-ESTABLISHED (1) Yamaha(config-vlan-access-map)#match access-list 1 (2) Yamaha(config-vlan-access-map)#end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-ESTABLISHED match ipv4 access-list 1
1 VLAN access map generation 2 Register the access list 3 Check the settings for VLAN access map -
Apply VLAN access map VAM-ESTABLISHED to VLAN #20.
Yamaha(config)#vlan filter VAM-ESTABLISHED 20 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-ESTABLISHED is applied to vlan 20 in
1 Apply the VLAN access map to the VLAN 2 Check the status of application to the VLAN
5.2. IPv6 access list settings
5.2.1. Example of application to a LAN port
■ Specify host
Set LAN port #1 so that it only allows access from host: 2001:db8::1.
With #3001 as the access list ID, add IPV6-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #3001.
Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 3001 (3) IPv6 access list 3001 10 permit 2001:db8::1/128 20 deny any
1 Generate access list 2 Add access list explanatory text 3 Check access list -
Apply access list #3001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 3000 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv6 access group 3001 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.
■ Specify network
Set LAN port #1 so that it only allows access from network: 2001:db8::/64.
With #3001 as the access list ID, add IPV6-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #3001.
Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2) Yamaha(config)#end Yamaha# show access-list 3001 (3) IPv6 access list 3001 10 permit 2001:db8::/64 20 deny any
1 Generate access list 2 Add access list explanatory text 3 Check access list -
Apply access list #3001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 3001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv6 access group 3001 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.
5.2.2. Example of application to the VLAN interface
■ Specify host
Set VLAN #1000 so that it only allows access from host: 2001:db8::1.
We will use access list ID #3001.
The VLAN access map to be used will be VAM-001, and access list #3001 will be set.
-
Generate and confirm access list #3001.
Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#end Yamaha# Yamaha#show access-list 3001 (2) IPv6 access list 3001 10 permit 2001:db8::1/128 20 deny any
1 Generate access list 2 Check access list -
Generate VLAN access map VAM-001, and set access list #3001.
Yamaha(config)#vlan access-map VAM-001 (1) Yamaha(config-vlan-access-map)#match access-list 3001 (2) Yamaha(config-vlan-access-map)#end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-001 match ipv6 access-list 3001
1 VLAN access map generation 2 Configure access list settings 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-001 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-001 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-001 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.
■ Specify network
Set VLAN #1000 so that it only allows access from network: 2001:db8::/64.
We will use access list ID #3001.
The VLAN access map to be used will be VAM-001, and access list #3001 will be set.
-
Generate and confirm access list #2.
Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#end Yamaha# Yamaha#show access-list 3001 (2) IPv6 access list 3001 10 permit 2001:db8::/64 20 deny any
1 Generate access list 2 Check access list -
Generate VLAN access map VAM-001, and set access list #3001.
Yamaha(config)#vlan access-map VAM-001 (1) Yamaha(config-vlan-access-map)#match access-list 3001 (2) Yamaha(config-vlan-access-map)#end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-001 match ipv6 access-list 3001
1 VLAN access map generation 2 Configure access list settings 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-001 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-001 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-001 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.
5.3. MAC access list settings
5.3.1. Example of application to a LAN port
■ Specify host
Set LAN port #1 so that it only denies access from host: 00-A0-DE-12-34-56.
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #2001.
Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 any (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 2001 (3) MAC access list 2001 10 deny host 00A0.DE12.3456 any
1 Generate access list 2 Add access list explanatory text 3 Check access list -
Apply access list #2001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 2001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : MAC access group 2001 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.
■ Specify vendor
Set LAN port #1 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF).
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
-
Generate and confirm access list #2001.
Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff any (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 2001 (3) MAC access list 2001 10 deny 00A0.DE00.0000 0000.00FF.FFFF any
1 Generate access list 2 Add access list explanatory text 3 Check access list -
Apply access list #2001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 2001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : MAC access group 2001 in
1 Apply access list 2 Check access list settings
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.
5.3.2. Example of application to the VLAN interface
■ Specify host
Set VLAN #1000 so that it only denies access from host: 00-A0-DE-12-34-56.
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
The VLAN access map to be used will be VAM-003, and access list #2001 will be set.
-
Generate and confirm access list #2000.
Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 any (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list (3) MAC access list 2001 10 deny host 00A0.DE12.3456 any
1 Generate access list #2001 2 Add access list explanatory text 3 Check access list -
Generate VLAN access map VAM-003, and set access list #2001.
Yamaha(config)# vlan access-map VAM-003 (1) Yamaha(config-vlan-access-map)# match access-list 2001 (2) Yamaha(config-vlan-access-map)# end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-003 match mac access-list 2001
1 VLAN access map generation 2 Register the access list 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-003 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-003 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-003 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.
■ Specify vendor
Set VLAN #1000 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF).
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
The VLAN access map to be used will be VAM-003, and access list #2001 will be set.
-
Generate and confirm access list #2001.
Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff any (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 2001 (3) MAC access list 2001 10 deny 00A0.DE00.0000 0000.00FF.FFFF any
1 Generate access list #2001 2 Add access list explanatory text 3 Check access list -
Generate VLAN access map VAM-003, and set access list #2001.
Yamaha(config)# vlan access-map VAM-003 (1) Yamaha(config-vlan-access-map)# match access-list 2001 (2) Yamaha(config-vlan-access-map)# end Yamaha# Yamaha#show vlan access-map (3) Vlan access-map VAM-003 match mac access-list 2001
1 VLAN access map generation 2 Register the access list 3 Check the settings for VLAN access map and access list -
Apply VLAN access map VAM-003 to VLAN #1000, and confirm the status.
Yamaha(config)#vlan filter VAM-003 1000 in (1) Yamaha(config)#end Yamaha# Yamaha#show vlan filter (2) Vlan filter VAM-003 is applied to vlan 1000 in
1 Apply the VLAN access map to the VLAN 2 Check the settings for VLAN access map
To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.
6. Points of Caution
-
LAN/SFP ports for which an access list is configured for received frames cannot belong to a logical interface.
-
Access list settings for received frames on an interface cannot be applied to a LAN/SFP port that belongs to a logical interface. If access list settings exist for the received frame of a LAN/SFP port that belongs to a logical interface in startup config, the settings for the most recent port number will be applied to the logical interface.
-
Conditions might not be determined correctly for fragment packets. Specifically, if layer 4 information (source port number, destination port number, and various TCP flags) is included in the conditions, correct information cannot be determined because the information is not included in the second and subsequent fragment packets. If there is a possibility of processing fragment packets, do not include layer 4 information in the conditions.