Filtering by VLAN tag type (L2 ACLs)

In Layer 2 extended-ACL rules, you can filter ingress traffic by untagged, single-tagged, or double-tagged VLAN type.

1. Enter configure terminal to access global configuration mode.
   

   device# configure terminal
   

2. Enter the mac access-list extended command to create or access the ACL.
   

   device(config)# mac access-list extended mac_ac13
   

3. To filter by untagged VLANs, create rules including the vlan-tag-format untagged parameters.
   

   device(conf-macl-ext)# permit host 0001.0001.0001 any vlan-tag-format untagged vlan 100 count
   device(conf-macl-ext)# permit host 0001.0001.0004 any vlan-tag-format untagged vlan 100 count
   

4. To filter by single-tagged VLANs, create rules including the vlan-tag-format single-tagged parameters.
   

   device(conf-macl-ext)# permit host 0002.0002.0002 any vlan-tag-format single-tagged vlan 200 count
   device(conf-macl-ext)# deny host 1.2.3 any vlan-tag-format single-tagged vlan 101 0xff0 count
   

5. To filter by double-tagged VLANs, create rules including the vlan-tag-format double-tagged parameters.
   

   device(conf-macl-ext)# permit host 0003.0003.0003 any vlan-tag-format double-tagged outer-vlan 300 inner-vlan 400 count
   device(conf-macl-ext)# permit host 0003.0003.0005 any vlan-tag-format double-tagged outer-vlan 300 0xfff inner-vlan 400 0x0fff count
   device(conf-macl-ext)# permit host 0003.0003.0006 any vlan-tag-format double-tagged outer-vlan any inner-vlan any count

6. Apply the ACL to the appropriate interface.
   

   device(conf-macl-ext)# exit
   device(config)# interface ethernet 2/1
   device(conf-if-eth-2/1)# mac access-group mac_acl3 in