access-list mac
Syntax
access-list mac <ACL-NAME>
no access-list mac <ACL-NAME>
[<SEQUENCE-NUMBER>]
{permit|deny}
{any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
{any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
{any|aarp|appletalk|arp|fcoe|fcoe-init|ip|ipv6|
ipx-arpa|ipx-non-arpa|is-is|lldp|mpls-multicast|mpls-unicast|q-in-q|
rbridge|trill|wake-on-lan|<NUMERIC-ETHERTYPE>}
[pcp <PCP-VALUE>] [vlan <VLAN-ID>] [count] [log]
no <SEQUENCE-NUMBER>
[<SEQUENCE-NUMBER>] comment <TEXT-STRING>
no <SEQUENCE-NUMBER> comment
Description
Creates a MAC Access Control List (ACL). The ACL is made of one or more Access Control Entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.
The
no
form of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.
Command context
config
The
access-list mac <ACL-NAME>
command takes you into the named ACL context where you enter the ACEs.
Parameters
<ACL-NAME>
Specifies the name of this ACL.
<SEQUENCE-NUMBER>
Specifies a sequence number for the ACE. Range: 1 to 4294967295.
{permit|deny}
Specifies whether to permit or deny traffic matching this ACE.
comment
Specifies storing the remaining entered text as an ACE comment.
{any|<SRC-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
Specifies the source host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword
any
. You can optionally include the following:<ETHERNET-MASK>
- The address bits to mask (xxxx.xxxx.xxxx).
{any|<DST-MAC-ADDRESS>[/<ETHERNET-MASK>}]}
Specifies the destination host MAC address (xxxx.xxxx.xxxx), OUI, or the keyword
any
. You can optionally include the following:<ETHERNET-MASK>
- The address bits to mask (xxxx.xxxx.xxxx).
{any|aarp|appletalk| ... |wake-on-lan|<NUMERIC-ETHERTYPE>
Specifics the protocol encapsulated in the Ethernet frame. The encapsulated protocol is identified by the EtherType Ethernet field. The EtherType is specified in one of the following three ways:
any
- any EtherType.<NUMERIC-ETHERTYPE>
- the numerical EtherType protocol number. Range: 0x600 to 0xffff.One of these EtherType protocol name keywords:
aarp
appletalk
arp
fcoe
fcoe-init
ip
ipv6
ipx-arpa
ipx-non-arpa
is-is
lldp
mpls-multicast
mpls-unicast
q-in-q
rbridge
trill
wake-on-lan
pcp <PCP-VALUE>
Specifies 802.1Q QoS Priority Code Point value. Range: 0 to 7.
vlan <VID>
Specifies a VLAN ID. The VLAN ID must exist.
NOTE:This parameter cannot be used in any ACL that will be applied to a VLAN.
count
Keeps the hit counts of the number of packets matching this ACE.
log
Keeps a log of the number of packets matching this ACE. Works with both
permit
anddeny
actions. Works with ACLs applied on ingress or egress.
Authority
Administrators or local user group members with execution rights for this command.
Usage
When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with
log
option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.
Examples
Creating a MAC ACL with four entries:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 10 permit 1122.3344.5566/ffff.ffff.0000 any ipv6 switch(config-acl-ip)# 20 permit aaaa.bbbb.cccc 1111.2222.3333 any pcp 4 switch(config-acl-ip)# 30 permit any any appletalk vlan 40 switch(config-acl-ip)# 40 deny any any any count switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 40 40 deny any any any Hit-counts: enabled
Adding a comment to an existing MAC ACE:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 30 comment Permit all vlan-40 tagged Appletalk traffic switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 Permit all vlan-40 tagged Appletalk traffic permit appletalk any any VLAN: 40 40 deny any any any Hit-counts: enabled
Removing a comment from an existing MAC ACE:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-mac)# no 30 comment switch(config-acl-mac)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled
Adding an ACE to an existing MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xffee switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xffee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled
Replacing an ACE in an existing MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# 35 permit any aabb.cc11.1234 0xeeee switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 35 permit 0xeeee any aabb.cc11.1234 40 deny any any any Hit-counts: enabled
Removing an ACE from an MAC ACL:
switch(config)# access-list mac MY_MAC_ACL switch(config-acl-ip)# no 35 switch(config-acl-ip)# exit switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL 10 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 20 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 30 permit appletalk any any VLAN: 1 40 deny any any any Hit-counts: enabled
Removing a MAC ACL:
switch(config)# no access-list mac MY_MAC_ACL switch(config)# do show access-list Type Name Sequence Comment Action EtherType Source MAC Address Destination MAC Address Additional Parameters ------------------------------------------------------------------------------- MAC MY_MAC_ACL2 1 permit ipv6 1122.3344.5566/ffff.ffff.0000 any 2 permit any aaaa.bbbb.cccc 1111.2222.3333 QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk any any VLAN: 1 4 deny any any any Hit-counts: enabled