access-list mac

Syntax

access-list mac <ACL-NAME>

no access-list mac <ACL-NAME>


  [<SEQUENCE-NUMBER>]
  {permit|deny}
  {any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
  {any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
  {any|aarp|appletalk|arp|fcoe|fcoe-init|ip|ipv6|
      ipx-arpa|ipx-non-arpa|is-is|lldp|mpls-multicast|mpls-unicast|q-in-q|
      rbridge|trill|wake-on-lan|<NUMERIC-ETHERTYPE>}
  [pcp <PCP-VALUE>] [vlan <VLAN-ID>] [count] [log]

  no <SEQUENCE-NUMBER>


  [<SEQUENCE-NUMBER>] comment <TEXT-STRING>

  no <SEQUENCE-NUMBER> comment

Description

Creates a MAC Access Control List (ACL). The ACL is made of one or more Access Control Entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.

The no form of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.

Command context

config

The access-list mac <ACL-NAME> command takes you into the named ACL context where you enter the ACEs.

Parameters

<ACL-NAME>

Specifies the name of this ACL.

<SEQUENCE-NUMBER>

Specifies a sequence number for the ACE. Range: 1 to 4294967295.

{permit|deny}

Specifies whether to permit or deny traffic matching this ACE.

comment

Specifies storing the remaining entered text as an ACE comment.

{any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}

Specifies the source host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword any. You can optionally include the following:

  • <ETHERNET-MASK> - The address bits to mask (xxxx.xxxx.xxxx).

{any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}

Specifies the destination host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword any. You can optionally include the following:

  • <ETHERNET-MASK> - The address bits to mask (xxxx.xxxx.xxxx).

{any|aarp|appletalk| ... |wake-on-lan|<NUMERIC-ETHERTYPE>

Specifics the protocol encapsulated in the Ethernet frame. The encapsulated protocol is identified by the EtherType Ethernet field. The EtherType is specified in one of the following three ways:

  • any - any EtherType.

  • <NUMERIC-ETHERTYPE> - the numerical EtherType protocol number. Range: 0x600 to 0xffff.

  • One of these EtherType protocol name keywords:

    • aarp
    • appletalk
    • arp
    • fcoe
    • fcoe-init
    • ip
    • ipv6
    • ipx-arpa
    • ipx-non-arpa
    • is-is
    • lldp
    • mpls-multicast
    • mpls-unicast
    • q-in-q
    • rbridge
    • trill
    • wake-on-lan
pcp <PCP-VALUE>

Specifies 802.1Q QoS Priority Code Point value. Range: 0 to 7.

vlan <VID>

Specifies a VLAN ID. The VLAN ID must exist.

NOTE:

This parameter cannot be used in any ACL that will be applied to a VLAN.

count

Keeps the hit counts of the number of packets matching this ACE.

log

Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit. The 8320 and 8325 switches do not support logging for ACLs applied on the egress.

Authority

Administrators

Usage

When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.

Egress ACL logging is not supported. Egress filtering based on the vlan tag on a routed port is not supported.

Examples

Creating a MAC ACL with four entries:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-ip)# 10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6
switch(config-acl-ip)# 20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4
switch(config-acl-ip)# 30 permit any any appletalk vlan 40
switch(config-acl-ip)# 40 deny any any any count
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 permit                          appletalk
           any
           any
           VLAN: 40
        40 deny                            any
           any
           any
           Hit-counts: enabled

Adding a comment to an existing MAC ACE:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-ip)# 30 comment Permit all vlan-40 tagged Appletalk traffic
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 Permit all vlan-40 tagged Appletalk traffic
           permit                          appletalk
           any
           any
           VLAN: 40
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing a comment from an existing MAC ACE:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-mac)# no 30 comment
switch(config-acl-mac)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 permit                          appletalk
           any
           any
           VLAN: 1
        40 deny                            any
           any
           any
           Hit-counts: enabled

Adding an ACE to an existing MAC ACL:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xffee
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 permit                          appletalk
           any
           any
           VLAN: 1
        35 permit                          0xffee
           any
           aabb.cc11.1234
        40 deny                            any
           any
           any
           Hit-counts: enabled

Replacing an ACE in an existing MAC ACL:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xeeee
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 permit                          appletalk
           any
           any
           VLAN: 1
        35 permit                          0xeeee
           any
           aabb.cc11.1234
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing an ACE from an MAC ACL:

switch(config)# access-list mac MY_MAC_ACL
switch(config-acl-ip)# no 35
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL
        10 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
        20 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
        30 permit                          appletalk
           any
           any
           VLAN: 1
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing a MAC ACL:

switch(config)# no access-list mac MY_MAC_ACL

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          EtherType
           Source MAC Address
           Destination MAC Address
           Additional Parameters
-------------------------------------------------------------------------------
MAC        MY_MAC_ACL2
         1 permit                          ipv6
           1122.3344.5566/ffff.ffff.0000
           any
         2 permit                          any
           aaaa.bbbb.cccc
           1111.2222.3333
           QoS Priority Code Point: 4
         3 Permit all vlan-40 tagged Appletalk traffic
           permit                          appletalk
           any
           any
           VLAN: 1
         4 deny                            any
           any
           any
           Hit-counts: enabled