access-list mac

Syntax

access-list macno access-list mac[] {permit|deny} {any|[/}]} {any|[/}]} {any|aarp|appletalk|arp|fcoe|fcoe-init|ip|ipv6| ipx-arpa|ipx-non-arpa|is-is|lldp|mpls-multicast|mpls-unicast|q-in-q| rbridge|trill|wake-on-lan|} [pcp] [vlan< vlan id >] [count] [log] no[] commentnocomment

Description

Creates a MAC Access Control List (ACL). The ACL is made of one or more Access Control Entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.

Thenoform of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.

Command context

config

Theaccess-list mac command takes you into the named ACL context where you enter the ACEs.

Parameters

Specifies the name of this ACL.

Specifies a sequence number for the ACE. Range: 1 to 4294967295.

{permit|deny}

Specifies whether to permit or deny traffic matching this ACE.

comment

指定存储剩余的进入text as an ACE comment.

{any|[/}]}

Specifies the source host MAC address (xxxx.xxxx.xxxx), OUI, or the keywordany. You can optionally include the following:

  • - The address bits to mask (xxxx.xxxx.xxxx).

{any|[/}]}

Specifies the destination host MAC address (xxxx.xxxx.xxxx), OUI, or the keywordany. You can optionally include the following:

  • - The address bits to mask (xxxx.xxxx.xxxx).

{any|aarp|appletalk| ... |wake-on-lan|

Specifics the protocol encapsulated in the Ethernet frame. The encapsulated protocol is identified by the EtherType Ethernet field. The EtherType is specified in one of the following three ways:

  • any- any EtherType.

  • - the numerical EtherType protocol number. Range: 0x600 to 0xffff.

  • One of these EtherType protocol name keywords:

    • aarp
    • appletalk
    • arp
    • fcoe
    • fcoe-init
    • ip
    • ipv6
    • ipx-arpa
    • ipx-non-arpa
    • is-is
    • lldp
    • mpls-multicast
    • mpls-unicast
    • q-in-q
    • rbridge
    • trill
    • wake-on-lan
pcp

Specifies 802.1Q QoS Priority Code Point value. Range: 0 to 7.

vlan

Specifies a VLAN ID. The VLAN ID must exist.

NOTE:

This parameter cannot be used in any ACL that will be applied to a VLAN.

count

Keeps the hit counts of the number of packets matching this ACE.

log

Keeps a log of the number of packets matching this ACE. Works withdenyactions but not withpermitactions. Works with ACLs applied on ingress but not with ACLs applied on egress.

Authority

Administrators or local user group members with execution rights for this command.

Usage

When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE withlogoption is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.

Examples

Creating a MAC ACL with four entries:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-ip)#10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6switch(config-acl-ip)#20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4switch(config-acl-ip)#30 permit any any appletalk vlan 40switch(config-acl-ip)#40 deny any any any countswitch(config-acl-ip)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 40 40 deny any any any Hit-counts: enabled

Adding a comment to an existing MAC ACE:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-ip)#30 comment Permit all vlan-40 tagged Appletalk trafficswitch(config-acl-ip)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 Permit all vlan-40 tagged Appletalk traffic permit appletalk any any VLAN: 40 40 deny any any any Hit-counts: enabled

Removing a comment from an existing MAC ACE:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-mac)#no 30 commentswitch(config-acl-mac)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled

Adding an ACE to an existing MAC ACL:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-ip)#35 permit any aabb.cc11.1234 0xffeeswitch(config-acl-ip)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xffee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled

Replacing an ACE in an existing MAC ACL:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-ip)#35 permit any aabb.cc11.1234 0xeeeeswitch(config-acl-ip)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xeeee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled

Removing an ACE from an MAC ACL:

switch(config)#access-list mac MY_MAC_ACLswitch(config-acl-ip)#no 35switch(config-acl-ip)#exitswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled

Removing a MAC ACL:

switch(config)#no access-list mac MY_MAC_ACLswitch(config)#do show access-list类型名称序列评论行动EtherType来源MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL2 1 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 2 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk any any VLAN: 1 4 deny any any any Hit-counts: enabled