To create a Media Access Control (MAC) access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no sequence-number
|
sequence-number
|
(Optional) Sequence number of the
deny
command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.
A sequence number can be any integer between 1 and 4294967295.
By default, the first rule in an ACL has a sequence number of 10.
If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.
Use the
resequence
command to reassign sequence numbers to rules.
|
|
source
|
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.
|
|
destination
|
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.
|
|
protocol
|
(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see "MAC Protocols" in the "Usage Guidelines" section.
|
|
cos
cos-value
|
(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the class of service (CoS) value given in the
cos-value
argument. The
cos-value
argument can be an integer from 0 to 7.
|
|
vlan
vlan-id
|
(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the VLAN ID given. The
vlan-id
argument can be an integer from 1 to 4094.
|
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
MAC ACL configuration mode
|
Release
|
Modification
|
|
4.0(0)N1(1a)
|
This command was introduced.
|
When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
This example specifies the source argument with the MAC address 00c0.4f03.0a72:
This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
The protocol argument can be the MAC protocol number or a keyword. Protocol numbers are a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
|
Command
|
Description
|
|---|---|
|
mac access-list
|
Configures a MAC ACL.
|
|
permit (MAC)
|
Configures a deny rule in a MAC ACL.
|
|
remark
|
Configures a remark in an ACL.
|
|
show mac access-list
|
Displays all MAC ACLs or one MAC ACL.
|