permit (MAC)

To create a MAC access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.

[ sequence-number ] permit source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]

no permit source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]

no sequence-number

Syntax Description

sequence-number
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.
A sequence number can be any integer between 1 and 4294967295.
By default, the first rule in an ACL has a sequence number of 10.
If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.
Use the resequence command to reassign sequence numbers to rules.
source
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.
destination
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.
protocol
( Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see "MAC Protocols" in the "Usage Guidelines" section.
cos cos-value
(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7.
vlan vlan-id
(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the VLAN ID given. The vlan-id argument can be an integer from 1 to 4094.

Command Default

A newly created MAC ACL contains no rules.

If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

MAC ACL configuration mode

Command History

Release
Modification
4.0(0)N1(1a)
This command was introduced.

Usage Guidelines

When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:

MAC Protocols

The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:

Examples

This example shows how to configure a MAC ACL named mac-ip-filter with a rule that permits all IPv4 traffic between two groups of MAC addresses:

switch(config)# mac access-list mac-ip-filter
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip
switch(config-mac-acl)#
 

Related Commands

Command
Description
deny (MAC)
Configures a deny rule in a MAC ACL.
mac access-list
Configures a MAC ACL.
remark
Configures a remark in an ACL.
show mac access-list
Displays all MAC ACLs or one MAC ACL.