mac access-list filter

Use this command to define an access control entry (ACE) in a mac access control list (ACL) that determines whether to permit or deny packets with the given source and destination MAC, ethertype cos and VLAN identifiers.

Use the no form of this command to remove an ACL specification. ACL specification can be removed using the sequence number as well.

•

Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.

•

Ether type option is not supported by hardware in egress direction.

•

Set wildcard with "F" to ignore specific fields in the MAC address. For example, if a MAC wildcard is set to 0000.FFFF.FFFF for MAC address 3333.ABCD.2211 by configuring "deny any 3333ABCD.2211 0000.FFFF.FFFF", then MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF is considered. The wildcard replaces nibbles with any possible value."

• The learn-disable option is set when the hardware profile filter ingress-l2-ext or ingress-l2-subifp is configured. It is not applicable when the ingress-l2 hardware profile is configured.

•

It is only applicable for Ingress L2(MAC) ACL.

Command Syntax

Copy

(<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))(arp|aarp|appletalk|cos|decnet-iv|diagnostic|etype-6000|etype-8042|ipv4|ipv6|mpls|lat|lavc-sca|learn-disable|mop-console|mop-dump|vines-echo|vlan|<0x600-0xFFF>))(cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|<0x600-0xFFF>)

no (<1-268435453>|)(deny|permit) (any | (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX)) (any | (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX) | host (XX-XX-XX-XX-XX-XX|XX:XX:XX:XX:XX:XX|XXXX.XXXX.XXXX))(arp|aarp|appletalk|cos|decnet-iv|diagnostic|etype-6000|etype-8042|ipv4|ipv6|mpls|lat|lavc-sca|learn-disable|mop-console|mop-dump|vines-echo|vlan|<0x600-0xFFF>|))(cos <0-7>|)(vlan <1-4094>|) (inner-vlan <1-4094>|<0x600-0xFFF>)

no (<1-268435453>)

Parameter

deny

Drop the packet.

permit

Accept the packet.

<1-268435453>

IPv4 ACL sequence number.

any

Source/Destination any.

XX-XX-XX-XX-XX-XX

Source/Destination MAC address (Option 1).

XX:XX:XX:XX:XX:XX

Source/Destination MAC address (Option 2).

XXXX.XXXX.XXXX

Source/Destination MAC address (Option 3).

XX-XX-XX-XX-XX-XX

Source/Destination wildcard (Option1).

XX:XX:XX:XX:XX:XX

Source/Destination wildcard (Option2).

XXXX.XXXX.XXXX

Source/Destination wildcard (Option3).

host

A single source/destination host.

aarp

Ethertype - 0x80f3.

arp

Matches Address Resolution Protocol (ARP) packets.

appletalk

Ethertype - 0x809b.

cos

Matches frames based on the 802.1p Class of Service (CoS) value.

decnet-iv

Ethertype - 0x6003.

diagnostic

Ethertype - 0x6005.

etype-6000

Ethertype - 0x6000.

etype-8042

Ethertype - 0x8042.

ipv4

Ethertype - 0x0800.

ipv6

Ethertype - 0x86dd.

lat

Ethertype - 0x6004.

lavc-sca

Ethertype - 0x6007.

learn-disable

Ingress Mac Learn Disable. (This parameter is applicable for Qumran2 (Q2) series platforms only.)

mop-console

Ethertype - 0x6002.

mop-dump

Ethertype - 0x6001.

vines-echo

Ethertype - 0x0baf.

WORD

Any Ethertype value.

cos <0-7>

Cos value.

vlan <1-4094>

VLAN identifier.

inner-vlan <1 - 4094>

Inner-VLAN identifie.

log

Log the packets matching the filter (in-direction only).

sample

Sample the packets matching the filter (in-direction only).

Default

None

Command Mode

MAC ACL mode

Applicability

This command was introduced before OcNOS version 1.3. Added parameter learn-disable in OcNOS version 6.6.1.

Examples

Copy


#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any 


#configure terminal
(config)#mac access-list mac-acl-01
(config-mac-acl)#deny host 0000.0000.1111 any
(config-mac-acl)#deny host 0000.0000.1112 any learn-disable

#configure terminal (config)#mac access-list mac-acl-01 (config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any (config-mac-acl)#permit 0000.1234.1234 0000.0000.0000 any sample #configure terminal (config)#mac access-list mac-acl-01 (config-mac-acl)#deny host 0000.0000.1111 any (config-mac-acl)#deny host 0000.0000.1112 any learn-disable