permit
— configures a filter to forward packets.
Extended MAC ACL Commands
When an access-list is created without any rule and then applied to an interface, ACL behavior reflects
implicit permit. The following commands configure Extended MAC ACLs.
The MXL 10/40GbE Switch IO Module platform supports both Ingress and Egress MAC ACLs.
deny
To drop packets that match the filter criteria, configure a filter.
Syntax
deny {any | host
mac-address
|
mac-source-address mac-source-
address-mask
} {any | host
mac-address
|
mac-destination-address
mac-destination-address-mask
} [
ethertype-operator
] [count
[byte]]
To remove this filter, you have two choices:
• Use the
no seq
sequence-number
command if you know the filter’s
sequence number.
• Use the
no deny {any | host
mac-address
|
mac-source-address
mac-source-address-mask
} {any |
host mac-address
|
mac-
destination-address mac-destination-address-mask
}
command.
Parameters
any
Enter the keyword
any
to drop all packets.
host
mac-
address
Enter the keyword
host
and then enter a MAC address to
drop packets with that host address.
mac-source-
address
Enter a MAC address in nn:nn:nn:nn:nn:nn format.
mac-source-
address-mask
Specify which bits in the MAC address must match.
The MAC ACL supports an inverse mask; therefore, a mask of
ff:ff:ff:ff:ff:ff allows entries that do not match and a mask of
00:00:00:00:00:00 only allows entries that match exactly.
mac-
destination-
address
Enter the destination MAC address and mask in
nn:nn:nn:nn:nn:nn format.
190
Access Control Lists (ACL)