Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring ACLs (Rev. 03)
Overview
© 2008 Foundry Networks, Inc
Page 27 of 50
Argument Description
acl-number
Number used to identify the ACL. Valid values are in the range
<400-499>.
SOURCE-MAC
MAC address of source, from which the packet is sent. The user can
specify the source MAC address in either of two ways:
1.
Use the HH:HH:HH:HH:HH:HH notation.
2.
Use the keyword
any
, which represents all MAC addresses.
SOURCE-WILDCARD
Source MAC address mask value in HH:HH:HH:HH:HH:HH notation.
DESTINATION-MAC
MAC address of destination, to which the packet is sent. The user can
specify the destination MAC address in either of two ways:
1.
Use the HH:HH:HH:HH:HH:HH notation.
2.
Use the keyword
any
which represents all MAC addresses.
DESTINATION-
WILDCARD
Destination MAC address mask value in HH:HH:HH:HH:HH:HH
notation.
tos
<
tos
>
(Optional). Packets can be filtered by type of service level, as specified
by a number from 0 to 15, or by any of the valid literal Tos values listed
below (see
Table 7
for valid literal values).
precedence
<
precedence
>
(Optional). Packets can be filtered by precedence level, as specified by a
number from 0 to 7, or by any of the valid literal Precedence values
listed below (see
Table 6
for valid literal values).
vpt
<
priority
>
(Optional). The VLAN Priority Tag (VPT) in the VLAN tag header.
Priority values range from 0 to 7.
provider-vpt
<priority>
(Optional). Specifies the VLAN Priority Tag (VPT) in the provider
VLAN tag header in the range <0-7>. The
provider-vpt
option is
applied to the tls uplink interface in order to match the external VLAN
priority tag.
vlan
<
vlan-id
>
(Optional). Specifies the VLAN mask, in the range <1-4093>.
provider-vlan
<
vlan-id
>
(Optional). Specifies the provider VLAN identifier in the range <1-
4093>. The
provider-vlan
option is applied to the TLS uplink interface
in order to match the external VLAN.
wildcard mask
(Optional). Specifies the VLAN mask in hexadecimal format.
untagged
(Optional). Enables matching only on the untagged frames. When the
untagged option is not specified, all tagged and untagged frames will be
matched.
unknown-unicast
(Optional). Matches the unknown traffic.
When the unknown-unicast packet matches any of the MAC filters
defined on the system, the packet is forwarded, and the ACL processing
stops. When the packet is not matched, the system drops the packet by
default.
To configure the system to permit packets by default, the user must
define the last MAC filter in the filter list to allow all packets.
Note that because of HW limitation the broadcast traffic will match to
mac-access list with rule containing option unknown-unicast. In order to
prevent this matching an additional rule/access list is needed explicitly
to permit/deny the broadcast traffic.