|
|
|
|
This section describes the commands you use to configure MAC ACL settings. MAC ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
The following rules apply+-to MAC ACLs:
This command creates a MAC Access Control List (ACL) identified by <name>, consisting of classification fields defined for the Layer 2 header of an Ethernet frame. The <name> parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the MAC access list. If a MAC ACL by this name already exists, this command enters Mac-Access-List config mode to allow updating the existing MAC ACL.
NOTE: The CLI mode changes to Mac-Access-List Config mode when you successfully execute this command.
This command deletes a MAC ACL identified by <name> from the system.
Use this command to remove a specific rule from MAC access control list.
Format: no mac access-list extended <name> rulenum <rule-num>
Mode: Global config
Acceptable values:
This command changes the name of a MAC Access Control List (ACL). The <name> parameter is the name of an existing MAC ACL. The <newname> parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the MAC access list. This command fails if a MAC ACL by the name <newname> already exists.
Note: The <oldname> parameter is the name of an existing MAC ACL.
This command creates a new rule for the current MAC access list. Each rule is appended to the list of configured rules for the list.
NOTE 1: The 'no' form of this command is not supported, since the rules within a MAC ACL cannot be deleted individually. Rather, the entire MAC ACL must be deleted and re-specified.
NOTE 2: An implicit 'deny all' MAC rule always terminates the access list.
A rule may either deny or permit traffic according to the specified classification fields. At a minimum, the source and destination MAC value must be specified, each of which may be substituted using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.
The Ethertype may be specified as either a keyword or a four-digit hexadecimal value from 0x0600-0xFFFF. The currently supported <ethertypekey> values are: appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp. Each of these translates into its equivalent Ethertype value(s). Table below shows the Ethertype keyword and 4-digit Hexadecimal Value.
Ethertype Keyword |
Corresponding Value |
|---|---|
appletalk |
0x809B |
arp |
0x0806 |
ibmsna |
0x80D5 |
ipv4 |
0x0800 |
ipv6 |
0x86DD |
ipx |
0x8037 |
mplsmcast |
0x8848 |
mplsucast |
0x8847 |
netbios |
0x8191 |
novell |
0x8137, 0x8138 |
pppoe |
0x8863, 0x8864 |
rarp |
0x8035 |
The vlan and cos parameters refer to the VLAN identifier and 802.1p user priority fields, respectively, of the VLAN tag. The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed <queue-id> value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform.
NOTE: The special command form {deny | permit} any any is used to match all Ethernet layer 2 packets, and is the equivalent of the IP access list “match every” rule.
This command attaches a specific MAC Access Control List (ACL) identified by <name> to an interface in a given direction. The <name> parameter must be the name of an existing MAC ACL. An optional sequence number may be specified to indicate the order of this mac access list relative to other mac access lists already assigned to this interface and direction. A lower number indicates higher precedence order. If a sequence number is already in use for this interface and direction, the specified mac access list replaces the currently attached mac access list using that sequence number. If the sequence number is not specified for this command, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used.
This command specified in 'Interface Config' mode only affects a single interface, whereas the 'Global Config' mode setting is applied to all interfaces. The 'Interface Config' mode command is only available on platforms that support independent per-port class of service queue configuration.
This command removes a MAC ACL identified by <name> from the interface in a given direction.
This command displays a MAC access list and all of the rules that are defined for the MAC ACL. Use the [name] parameter to identify a specific MAC ACL to display.
The display parameters for above command are: