Describes implementing Layer 2 ACLs on physical and subinterfaces, noting configuration restrictions and providing instructions for enabling ISIS PDU rejection to enhance access security and traffic filtering.
Layer 2 ACL is a security configuration that
-
binds to Layer 2 main interfaces, subinterfaces, or bundle interfaces,
-
enables traffic filtering of ISIS packets on the ethernet port shared by these interfaces, and
-
ensures ISIS traffic is dropped regardless of whether the ACL is applied to the main or subinterface, since all share the port.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces |
Release 25.1.1 |
Introduced in this release on: Fixed Systems (8700 [ASIC: K100] )(select variants only*) *This feature is supported on the Cisco 8712-MOD-M routers. |
| Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces |
Release 24.4.1 |
Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*) *This feature is supported on:
|
| Support for a Configurable Knob to Reject ISIS PDU on Layer 2 Interfaces |
Release 7.3.1 | This feature enables you to use Layer 2 ACL to drop ISIS packets from certain ISIS destination MAC addresses. Dropping ISIS packets allows you to isolate a particular node from ISIS domain. This feature enables you to utilize the network bandwidth efficiently. This feature introduces the ethernet-services access-list isis-drop-all-l2-pdus command |
Configuring a Layer 2 ACL on either the main interface or subinterface results in ISIS packet drops for both, because the ACL operates on their shared ethernet port.