Filter
Top Products
Configuring LAN Interfaces
Configuring a LAN Extender Interface
IC-52
Cisco IOS Interface Configuration Guide
The major reason to create access lists on a LAN Extender interface is to prevent traffic that is local to
the remote Ethernet LAN from traversing the WAN and reaching the core router. You can filter packets
by MAC address, including vendor code, and by Ethernet type code. To define filters on the LAN
Extender interface, perform the tasks described in one or both of the following sections:
• Filtering by MAC Address and Vendor Code
• Filtering by Protocol Type
Note When setting up administrative filtering, remember that there is virtually no performance
penalty when filtering by vendor code, but there can be a performance penalty when
filtering by protocol type.
When defining access lists, keep the following points in mind:
• You can assign only one vendor code access list and only one protocol type access list to an
interface.
• The conditions in the access list are applied to all outgoing packets from the LAN Extender.
• The entries in an access list are scanned in the order you enter them. The first entry that matches the
outgoing packet is used.
• An implicit “deny everything” entry is automatically defined at the end of an access list unless you
include an explicit “permit everything” entry at the end of the list. This means that unless you have
an entry at the end of an access list that explicitly permits all packets that do no match any of the
other conditions in the access list, these packets will not be forwarded out the interface.
• All new entries to an existing list are placed at the end of the list. You cannot add an entry to the
middle of a list.
• If you do not define any access lists on an interface, it is as if you had defined an access lists with
only a “permit all” entry. All traffic passes across the interface.
Filtering by MAC Address and Vendor Code
You can create access lists to administratively filter MAC addresses. These access lists can filter groups
of MAC addresses, including those with particular vendor codes. There is no noticeable performance
loss in using these access lists, and the lists can be of indefinite length.
You can filter groups of MAC addresses with particular vendor codes by creating a vendor code access
list and then by applying an access list to an interface.
To create a vendor code access list, use the following command in global configuration mode:
Note Token Ring and FDDI networks swap their MAC address bit ordering, but Ethernet
networks do not. Therefore, an access list that works for one medium might not work for
others.
Command Purpose
access-list access-list-number
{permit | deny} address mask
Creates an access list to filter frames by canonical (Ethernet-ordered) MAC
address.