access-list mac
Syntax
access-list mac <ACL-NAME>
[<SEQUENCE-NUMBER>]
{permit|deny}
{any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
{any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
{any|aarp|appletalk|arp|fcoe|fcoe-init|ip|ipv6|
ipx-arpa|ipx-non-arpa|is-is|lldp|mpls-multicast|mpls-unicast|q-in-q|
rbridge|trill|wake-on-lan|<NUMERIC-ETHERTYPE>}
[pcp <PCP-VALUE>] [vlan <VLAN-ID>] [count] [log]
[<SEQUENCE-NUMBER>] comment <TEXT-STRING>
Description
Creates a MAC access control list (ACL). The ACL is made of one or more access control list entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.
The
no
form of this command can be used to delete an ACL (use
no
with the access list command). And you can delete an individual ACE (use
no
with the sequence-number parameter).
Command context
config
The
access-list mac <ACL-NAME>
command takes you into the named ACL context where you enter the access control entries.
Parameters
<ACL-NAME>
Specifies the name of this ACL.
<SEQUENCE-NUMBER>
Specifies a sequence number for the ACE. Optional, in the range of 1- 4294967295.
{permit|deny}
Specifies whether to permit or deny traffic matching this ACE.
comment
Specifies storing the remaining entered text as an ACE comment.
{any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
Specifies the source host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword
any
. You can optionally include the following:<ETHERNET-MASK>
- The address bits to mask (xxxx.xxxx.xxxx).
{any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
Specifies the destination host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword
any
. You can optionally include the following:<ETHERNET-MASK>
- The address bits to mask (xxxx.xxxx.xxxx).
protocol
Select an ethertype protocol from the following (enter one only):
any
- Any ethertype protocol<NUMBERIC-ETHERTYPE>
- Enter an EtherType protocol number. Range: 0x600-0xffff.Or enter an EtherType protocol name from the following list:
aarp
appletalk
arp
fcoe
fcoe-init
ip
ipv6
ipx-arpa
ipx-non-arpa
is-is
lldp
mpls-multicast
mpls-unicast
q-in-q
rbridge
trill
wake-on-lan
pcp <PCP-VALUE>
Specifies QoS Priority Code Point to match on. Range: 0-7.
vlan <VID>
Specifies An 802.1q VLAN ID to match on. The VLAN ID must have been configured.
count
Keeps the hit counts of the number of packets matching this ACE.
log
Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit.
Authority
Administrators
Usage
When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with
log
option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.
Examples
Creating a MAC ACL with four entries:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6 switch(config-acl-ip)# 20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4 switch(config-acl-ip)# 30 permit any any appletalk vlan 40 switch(config-acl-ip)# 40 deny any any any count switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 40 40 deny any any any Hit-counts: enabled
Adding a comment to an existing MAC ACE:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 30 comment Permit all vlan-40 tagged Appletalk traffic switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled
Removing a comment from an existing MAC ACE:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-mac)# no 30 comment switch(config-acl-mac)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled
Adding an ACE to an existing MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xffee switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xffee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled
Replacing an ACE in an existing MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xeeee switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xeeee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled
Removing an ACE from an MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# no 35 switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled
Removing a MAC ACL:
switch(config)# no access-list mac MY_MAC_ACL switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL2 1 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 2 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk any any VLAN: 1 4 deny any any any Hit-counts: enabled