Configuring a Layer 2 ACL
Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet header fields, such as:
Source MAC address.
Destination MAC address.
802.1p priority (VLAN priority).
Link layer protocol type.
Encapsulation type.
Inner source MAC address.
Inner destination MAC address.
Inner link layer protocol type.
To configure a Layer 2 ACL:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a Layer 2 ACL and enter its view. | acl mac { acl-number | name acl-name } [ match-order { auto | config } ] acl number acl-number [ match-order { auto | config } ] | By default, no ACLs exist. The value range for a numbered Layer 2 ACL is 4000 to 4999. Use the acl number acl-number or acl mac acl-number command to create a numbered Layer 2 ACL. Use the acl number acl-number or acl mac acl-number command to enter the view of a numbered Layer 2 ACL. Use the acl mac name acl-name command to enter the view of a named Layer 2 ACL. |
3. (Optional.) Configure a description for the Layer 2 ACL. | description text | By default, a Layer 2 ACL does not have a description. |
4. (Optional.) Set the rule numbering step. | step step-value [ start start-value ] | By default, the rule numbering step is 5 and the start rule ID is 0. |
5. Create or edit a rule. | rule [ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] * | By default, no Layer 2 ACL rules exist. For an ACL with the lsap keyword specified to work correctly in a QoS policy or packet filter, the values for the lsap-type and lsap-type-mask arguments must be aaaa and ffff, respectively. |
6. (Optional.) Add or edit a rule comment. | rule rule-id comment text | By default, no rule comment is configured. |