Option Meaning
separation of multiple access lists.
permit or deny Specifies the effect of the access-list statement as allowing or
blocking the traffic specified.
h.h.h mac address Specifies the device by MAC address that will be acted upon in
the access-list statement.
Host Specifies a single specific host for the statement
Any Specifies that regardless of the host or device IP, it will match
the statement.
Here’s an example of this command:
S1#config t
S1(config)#mac access-list ?
extended Extended Access List
S1(config)#mac access-list extended ?
WORD access-list name
S1(config)#mac access-list extended Todd_MAC_List
S1(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
S1(config-ext-macl)#deny any ?
H.H.H 48-bit destination MAC address
any any destination MAC address
host A single destination host
S1(config-ext-macl)#deny any host ?
H.H.H 48-bit destination MAC address
S1(config-ext-macl)#deny any host 000d.29bd.4b85
S1(config-ext-macl)#permit ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
S1(config-ext-macl)#permit any any
S1(config-ext-macl)#do show access-list
Extended MAC access list Todd_MAC_List
deny any host 000d.29bd.4b85
permit any any
S1(config-ext-macl)#
You can see that you can create only an extended named access list. You have no other
options. And don’t forget to add the permit any any at the end!
Here is how you would apply the list to a switch port:
S1(config-ext-macl)#int f0/6
S1(config-if)#mac access-group Todd_MAC_List in
This is pretty much the same as it is with an IP list, except you start with the command mac.
Although it’s true there are special circumstances where you would deny based on MAC
address, there is another option, and I think it’s usually the better one: just deny access based
on the ether-type field in the Ethernet frame header instead. Take a look:
S1(config-ext-macl)#deny any any ?
<0-65535> An arbitrary EtherType in decimal, hex, or octal
aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP