mac access-group

Use this command to attach a MAC access list to an interface to filter incoming packets.

When you attach an access list to a VLAN interface or LAGClosed Link Aggregation Group interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

  1. VLAN interface
  2. LAG interface
  3. Physical interface

For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.

To delete the access-group, use the no form of this command without a time-range.

An access-group on egress access-group on egress direction uses the TCAM group used by the QoS output service policy. Therefore, actions are unpredictable when conflicting matches are configured on same interface. IP Infusion Inc. recommends avoiding such a configuration. Otherwise, you need to configure the priority (in QoS) or the sequence number (in ACL) carefully to handle such cases.

Egress TCAMs do not auto-expand beyond 256 entries if any entry includes a policer action. Therefore, the total number of configurable entries in the egress direction is limited to 256.

Command Syntax

Copy 
mac access-group NAME (in|out) (in|out) (time-range TR_NAME|)
no mac access-group NAME (in|out) (time-range TR_NAME|)

Parameters

NAME

Access list name.

in

Filter incoming packets.

out

Filter outgoing packets

TR_NAME

Time range name set with the command

Command Mode

Interface mode

Applicability

This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.

Examples

Copy 
#configure terminal
(config)#mac access-list mylist
(config-mac-acl)#permit any any
(config-mac-acl)#exit
 
(config)#hardware-profile filter ingress-l2-ext enable
 
(config)#interface xe3
(config-if)#mac access-group mylist in
(config-if)#exit
 
(config)#interface xe3
(config-if)#mac access-group mylist in time-range TIMER1
(config-if)#exit
 
(config)#interface xe3
(config-if)#no mac access-group mylist in time-range TIMER1
(config-if)#exit
 
(config)#interface xe3
(config-if)#no mac access-group mylist in
(config-if)#exit