ACL

ACL

1. Function Overview

The access list (ACL) is a conditional statement that determines whether to permit or to deny the frame.
If the access list is applied to the interface, only the permitted frame will be transferred, and the denied frame will be discarded.
As this allows for only specified frames to be selected for transfer, this feature is primarily used for security purposes.
This product supports three access list types, as shown in the table below.

  • Access list type

    Access list type Deciding criteria Access list ID Purpose of use

    IPv4 access list

    Source IPv4 address
    Destination IPv4 address
    IP protocol type

    1–2000

    Filters access from specific hosts and networks. Filters specific IP protocol types such as TCP/UDP.

    IPv6 access list

    Source IPv6 address

    3001–4000

    Filters access from specific hosts and networks.

    MAC access list

    Source MAC address
    Destination MAC address

    2001–3000

    Filters access and data transfer from specific devices.

2. Definition of Terms Used

ACL

Abbreviation of “Access Control List”.

Wildcard mask

Information that specifies which portion of the specified IPv4 address or MAC address is read. This is used when specifying a range of IPv4 addresses or MAC addresses as ACL conditions.

  • When the wildcard mask bit is “0”: check the corresponding bit

  • When the wildcard mask bit is “1”: do not check the corresponding bit

Examples of settings using wildcard masks are shown below. (The underlined portion is the wildcard mask.)

  • To specify conditions for subnet 192.168.1.0/24: 192.168.1.0 0.0.0.255 (specified in decimal)

  • To specify conditions for vendor code 00-A0-DE---*: 00A0.DE00.0000 0000.00FF.FFFF (specified in hexadecimal)

3. Function Details

3.1. Generate access list

Access lists for the number of IDs in each access list number can be generated. (Refer to the table in 1 Function Overview.)
A maximum of 256 control conditions can be registered per access list.
If the registered control conditions are not satisfied, forwarding occurs as usual.

3.2. Applying to the interface

The following table shows how access lists are applied to the input/output interfaces of this product.
Note that one access list can be applied to the IN and OUT respectively for an interface.

  • Status of access list application to the interface

    Access list type

    LAN/SFP port

    VLAN interface

    Static/LACP logical interface

    in

    out

    in

    out

    in

    out

    IPv4 access list

    Yes

    Yes (*)

    Yes

    Yes (*)

    Yes

    No

    IPv6 access list

    Yes

    Yes

    Yes

    Yes

    Yes

    No

    MAC access list

    Yes

    No

    Yes

    No

    Yes

    No

    (*) As a limitation, an IPv4 access list that specifies a range of port numbers cannot be applied to the output (out) side of an interface.

The number of access lists that can be applied to the interface depends on the number of control parameters that are registered in the access lists.
On this product, a maximum of 512 control conditions can be registered to the interface.
Applying an access list to the interface will use resources “equivalent to the number of control conditions that are registered in the access list”.

However, control conditions may also be used internally within the system in some cases, and use resources accordingly.

3.3. Settings for the LAN/SFP port and logical interface

The steps for applying an access list to a LAN/SFP port and to a logical interface are shown below.

  1. Decide on the filtering parameters, and generate the access list.

    • Add explanatory text as necessary.

  2. Check the access list.

  3. Apply the access list to the LAN/SFP port and logical interface.

  4. Check the applied access list.

A list of operation commands is given below.

  • Access list operating commands (when applied to the LAN/SFP port and logical interface)

    Access list type Generate access list Check access list Apply access list Check applied access list

    IPv4 access list

    access-list

    show access-list

    access-group

    show access-group

    IPv6 access list

    access-list

    show access-list

    access-group

    show access-group

    MAC access list

    access-list

    show access-list

    access-group

    show access-group

3.4. VLAN interface settings

The steps for applying access lists to the VLAN interface are shown below.

  1. Decide on the filtering parameters, and generate the access list.

    • Add explanatory text as necessary.

  2. Check the access list.

  3. Generate the VLAN access map.

  4. Set the access list for the VLAN access map.

  5. Check the VLAN access map.

  6. Apply the VLAN access map to the VLAN.

  7. Check the VLAN access map that was applied.

The operations in steps 1 and 2 are the same as those shown in 3.2.
The following is a list of operating commands for steps 3. and later.

  • VLAN access map operating command

    Access list type VLAN access map generation Settings for access list used with VLAN access map VLAN access map confirmation VLAN access map application Confirmation of the applied VLAN access map

    IPv4 access list

    vlan access-map

    match access-list

    show vlan access-map

    vlan filter

    show vlan filter

    IPv6 access list

    vlan access-map

    match access-list

    show vlan access-map

    vlan filter

    show vlan filter

    MAC access list

    vlan access-map

    match access-list

    show vlan access-map

    vlan filter

    show vlan filter

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations Operating commands

Apply IPv4 access list

access-group

Generate IPv4 access list

access-list

Add IPv4 access list explanatory text

access-list description

Apply IPv4 access list

access-group

Generate IPv6 access list

access-list

Add IPv6 access list explanatory text

access-list description

Apply IPv6 access list

access-group

Generate MAC access list

access-list

Add MAC access list explanatory text

access-list description

Apply MAC access list

access-group

Show generated access list

show access-list

Show access list applied to interface

show access-group

Create VLAN access map

vlan access-map

Set VLAN access map parameters

match

Assign VLAN access map to VLAN

vlan filter

Show VLAN access map

show vlan access-map

Show VLAN access map filter

show vlan filter

5. Examples of Command Execution

5.1. IPv4 access list settings

5.1.1. Example of application to a LAN port

■ Specify host

Set LAN port #1 so that access is only permitted from host: 192.168.1.1 to host: 10.1.1.1.
With #123 as the access list ID, add IPV4-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit any host 192.168.1.1 host 10.1.1.1 (1)
    Yamaha(config)#access-list 123 deny any any any
    Yamaha(config)#access-list 123 description IPV4-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (3)
    IPv4 access list 123
        10 permit any host 192.168.1.1 host 10.1.1.1
        20 deny any any any
    Yamaha#
    1 Generate access list
    2 Add access list explanatory text
    3 Check access list
  2. Apply access list #123 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 123 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv4 access group 123 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the setting indicated above, delete the setting that allows access from host: 192.168.1.1 to host: 10.1.1.1 and add a setting that allows access from host: 192.168.1.1 to host: 10.1.1.2.

  1. Temporarily cancel the application of access list #123 from LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#no access-group 123 in (1)
    1 Cancel the application of the access list
  2. Delete, add, and then check the setting in access list #123.

    Yamaha(config)#no access-list 123 10 (1)
    Yamaha(config)#access-list 123 10 permit any host 192.168.1.1 host 10.1.1.2 (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (3)
    IPv4 access list 123
        10 permit any host 192.168.1.1 host 10.1.1.2
        20 deny any any any
    1 Remove the setting from the access list
    2 Add the setting to the access list
    3 Check access list
  3. Apply access list #123 to LAN port #1 again.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 123 in (1)
    1 Apply access list

■ Specify network

Set LAN port #1 so that access is only permitted from network: 192.168.1.0/24 to host: 10.1.1.1.
With #123 as the access list ID, add IPV4-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit any 192.168.1.0 0.0.0.255 host 10.1.1.1 (1)
    Yamaha(config)#access-list 123 deny any any any
    Yamaha(config)#access-list 123 description IPV4-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show ip access-list (3)
    IPv4 access list 123
        10 permit any 192.168.1.0/24 host 10.1.1.1
        20 deny any any any
    Yamaha#
    1 Generate access list
    2 Add access list explanatory text
    3 Check ACL
  2. Apply access list #123 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 123 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv4 access group 123 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
The specific procedure is the same as for specifying a host.

5.1.2. Example of application to the VLAN interface

■ Specify host

Set VLAN #1000 so that access is only permitted from host: 192.168.1.1 to host: 10.1.1.1.
We will use access list ID #123.
The VLAN access map to be used will be VAM-002, and access list #123 will be set.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit any host 192.168.1.1 host 10.1.1.1 (1)
    Yamaha(config)#access-list 123 deny any any any
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (2)
    IPv4 access list 123
        10 permit any host 192.168.1.1 host 10.1.1.1
        20 deny any any any
    1 Generate access list
    2 Check access list
  2. Generate VLAN access map VAM-002, and set access list #123.

    Yamaha(config)#vlan access-map VAM-002 (1)
    Yamaha(config-vlan-access-map)#match access-list 123 (2)
    Yamaha(config-vlan-access-map)#end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-002
        match ipv4 access-list 123
    1 VLAN access map generation
    2 Register the access list
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-002 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-002 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-002 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the setting indicated above, delete the setting that allows access from host: 192.168.1.1 to host: 10.1.1.1 and add a setting that allows access from host: 192.168.1.1 to host: 10.1.1.2.

  1. Temporarily cancel VLAN access map VAM-002 from being applied to VLAN #1000.

    Yamaha(config)#no vlan filter VAM-002 1000 in (1)
    1 Cancel the application of a VLAN access map from a VLAN
  2. Temporarily cancel the access list #123 setting in VLAN access map VAM-002.

    Yamaha(config)#vlan access-map VAM-002 (1)
    Yamaha(config-vlan-access-map)#no match access-list 123 (2)
    1 Change the VLAN access map
    2 Cancel the registration of access list
  3. Delete, add, and then check the setting in access list #123.

    Yamaha(config)#no access-list 123 10 (1)
    Yamaha(config)#access-list 123 10 permit any host 192.168.1.1 host 10.1.1.2 (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (3)
    IPv4 access list 123
        10 permit any host 192.168.1.1 host 10.1.1.2
        20 deny any any any
    1 Remove the setting from the access list
    2 Add the setting to the access list
    3 Check access list
  4. Specify the access list #123 setting in VLAN access map VAM-002 again.

    Yamaha(config)#vlan access-map VAM-002 (1)
    Yamaha(config-vlan-access-map)#match access-list 123 (2)
    1 Change the VLAN access map
    2 Register the access list
  5. Apply VLAN access map VAM-002 to VLAN #1000 again.

    Yamaha(config)#vlan filter VAM-002 1000 in (1)
    1 Apply the VLAN access map to the VLAN

■ Specify network

Set VLAN #1000 so that access is only permitted from network: 192.168.1.0/24 to host: 10.1.1.1.
We will use access list ID #123.
The VLAN access map to be used will be VAM-002, and access list #123 will be set.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit any 192.168.1.0 0.0.0.255 host 10.1.1.1 (1)
    Yamaha(config)#access-list 123 deny any any any
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (2)
    IPv4 access list 123
        10 permit any 192.168.1.0/24 host 10.1.1.1
        20 deny any any any
    1 Generate access list
    2 Check access list
  2. Generate VLAN access map VAM-002, and set access list #123.

    Yamaha(config)#vlan access-map VAM-002 (1)
    Yamaha(config-vlan-access-map)#match access-list 123 (2)
    Yamaha(config-vlan-access-map)#end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-002
        match ipv4 access-list 123
    1 VLAN access map generation
    2 Register the access list
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-002 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-002 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-002 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
The specific procedure is the same as for specifying a host.

5.1.3. Allowing only TCP communication from one direction (example using TCP flags)

Given VLAN10 and VLAN20, this example controls TCP communication so that it occurs in one direction.

  • Communication from VLAN10 to VLAN20 is possible by Telnet, etc.

  • Communication from VLAN20 to VLAN10 is not possible by Telnet, etc.

  1. Generate access list #1.
    Specify settings that only allow IPv4 TCP packets with an ACK or RST flag.

    Yamaha(config)#access-list 1 permit tcp any any ack (1)
    Yamaha(config)#access-list 1 permit tcp any any rst
    Yamaha(config)#access-list 1 deny any any any
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list (2)
    IPv4 access list 1
        10 permit tcp any any ack
        20 permit tcp any any rst
        30 deny any any any
    1 Configure access list settings
    2 Check access list settings
  2. Generate VLAN access map VAM-ESTABLISHED and specify access list #1.

    Yamaha(config)#vlan access-map VAM-ESTABLISHED (1)
    Yamaha(config-vlan-access-map)#match access-list 1 (2)
    Yamaha(config-vlan-access-map)#end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-ESTABLISHED
        match ipv4 access-list 1
    1 VLAN access map generation
    2 Register the access list
    3 Check the settings for VLAN access map
  3. Apply VLAN access map VAM-ESTABLISHED to VLAN #20.

    Yamaha(config)#vlan filter VAM-ESTABLISHED 20 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-ESTABLISHED is applied to vlan 20 in
    1 Apply the VLAN access map to the VLAN
    2 Check the status of application to the VLAN

5.2. IPv6 access list settings

5.2.1. Example of application to a LAN port

■ Specify host

Set LAN port #1 so that it only allows access from host: 2001:db8::1.
With #3001 as the access list ID, add IPV6-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #3001.

    Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 3001 (3)
    IPv6 access list 3001
        10 permit 2001:db8::1/128
        20 deny any
    1 Generate access list
    2 Add access list explanatory text
    3 Check access list
  2. Apply access list #3001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 3000 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv6 access group 3001 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.

■ Specify network

Set LAN port #1 so that it only allows access from network: 2001:db8::/64.
With #3001 as the access list ID, add IPV6-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #3001.

    Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2)
    Yamaha(config)#end
    
    Yamaha# show access-list 3001 (3)
    IPv6 access list 3001
        10 permit 2001:db8::/64
        20 deny any
    1 Generate access list
    2 Add access list explanatory text
    3 Check access list
  2. Apply access list #3001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 3001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv6 access group 3001 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.

5.2.2. Example of application to the VLAN interface

■ Specify host

Set VLAN #1000 so that it only allows access from host: 2001:db8::1.
We will use access list ID #3001.
The VLAN access map to be used will be VAM-001, and access list #3001 will be set.

  1. Generate and confirm access list #3001.

    Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 3001 (2)
    IPv6 access list 3001
        10 permit 2001:db8::1/128
        20 deny any
    1 Generate access list
    2 Check access list
  2. Generate VLAN access map VAM-001, and set access list #3001.

    Yamaha(config)#vlan access-map VAM-001 (1)
    Yamaha(config-vlan-access-map)#match access-list 3001 (2)
    Yamaha(config-vlan-access-map)#end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-001
        match ipv6 access-list 3001
    1 VLAN access map generation
    2 Configure access list settings
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-001 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-001 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-001 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.

■ Specify network

Set VLAN #1000 so that it only allows access from network: 2001:db8::/64.
We will use access list ID #3001.
The VLAN access map to be used will be VAM-001, and access list #3001 will be set.

  1. Generate and confirm access list #2.

    Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 3001 (2)
    IPv6 access list 3001
        10 permit 2001:db8::/64
        20 deny any
    1 Generate access list
    2 Check access list
  2. Generate VLAN access map VAM-001, and set access list #3001.

    Yamaha(config)#vlan access-map VAM-001 (1)
    Yamaha(config-vlan-access-map)#match access-list 3001 (2)
    Yamaha(config-vlan-access-map)#end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-001
        match ipv6 access-list 3001
    1 VLAN access map generation
    2 Configure access list settings
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-001 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-001 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-001 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.

5.3. MAC access list settings

5.3.1. Example of application to a LAN port

■ Specify host

Set LAN port #1 so that it only denies access from host: 00-A0-DE-12-34-56.
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #2001.

    Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 any (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 2001 (3)
    MAC access list 2001
        10 deny host 00A0.DE12.3456 any
    1 Generate access list
    2 Add access list explanatory text
    3 Check access list
  2. Apply access list #2001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 2001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : MAC access group 2001 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), application of the list to the LAN port must be temporarily canceled.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.

■ Specify vendor

Set LAN port #1 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF).
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.

  1. Generate and confirm access list #2001.

    Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff any (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 2001 (3)
    MAC access list 2001
        10 deny 00A0.DE00.0000 0000.00FF.FFFF any
    1 Generate access list
    2 Add access list explanatory text
    3 Check access list
  2. Apply access list #2001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 2001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : MAC access group 2001 in
    1 Apply access list
    2 Check access list settings

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to a LAN port in IPv4 access list settings.

5.3.2. Example of application to the VLAN interface

■ Specify host

Set VLAN #1000 so that it only denies access from host: 00-A0-DE-12-34-56.
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
The VLAN access map to be used will be VAM-003, and access list #2001 will be set.

  1. Generate and confirm access list #2000.

    Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 any (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list (3)
    MAC access list 2001
        10 deny host 00A0.DE12.3456 any
    1 Generate access list #2001
    2 Add access list explanatory text
    3 Check access list
  2. Generate VLAN access map VAM-003, and set access list #2001.

    Yamaha(config)# vlan access-map VAM-003 (1)
    Yamaha(config-vlan-access-map)# match access-list 2001 (2)
    Yamaha(config-vlan-access-map)# end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-003
        match mac access-list 2001
    1 VLAN access map generation
    2 Register the access list
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-003 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-003 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-003 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.

■ Specify vendor

Set VLAN #1000 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF).
With #2001 as the access list ID, add MAC-ACL-EX as access list explanatory text using.
The VLAN access map to be used will be VAM-003, and access list #2001 will be set.

  1. Generate and confirm access list #2001.

    Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff any (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 2001 (3)
    MAC access list 2001
        10 deny 00A0.DE00.0000 0000.00FF.FFFF any
    1 Generate access list #2001
    2 Add access list explanatory text
    3 Check access list
  2. Generate VLAN access map VAM-003, and set access list #2001.

    Yamaha(config)# vlan access-map VAM-003 (1)
    Yamaha(config-vlan-access-map)# match access-list 2001 (2)
    Yamaha(config-vlan-access-map)# end
    Yamaha#
    Yamaha#show vlan access-map (3)
    Vlan access-map VAM-003
        match mac access-list 2001
    1 VLAN access map generation
    2 Register the access list
    3 Check the settings for VLAN access map and access list
  3. Apply VLAN access map VAM-003 to VLAN #1000, and confirm the status.

    Yamaha(config)#vlan filter VAM-003 1000 in (1)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show vlan filter (2)
    Vlan filter VAM-003 is applied to vlan 1000 in
    1 Apply the VLAN access map to the VLAN
    2 Check the settings for VLAN access map

To change the access list (delete or add a setting), it is necessary to temporarily cancel applying the list to the VLAN interface and the setting in the VLAN access map.
For the specific procedure, refer to Example of application to the VLAN interface in IPv4 access list settings.

6. Points of Caution

  • LAN/SFP ports for which an access list is configured for received frames cannot belong to a logical interface.

  • Access list settings for received frames on an interface cannot be applied to a LAN/SFP port that belongs to a logical interface. If access list settings exist for the received frame of a LAN/SFP port that belongs to a logical interface in startup config, the settings for the most recent port number will be applied to the logical interface.

  • Conditions might not be determined correctly for fragment packets. Specifically, if layer 4 information (source port number, destination port number, and various TCP flags) is included in the conditions, correct information cannot be determined because the information is not included in the second and subsequent fragment packets. If there is a possibility of processing fragment packets, do not include layer 4 information in the conditions.