Example
The following example shows how to create a MAC ACL with permit rules.
Console(config)# mac access-list macl-acl1
Console(config-mac-al)# permit 06:a6 00:00:00:00:00:00 any vlan 6
deny (MAC)
The deny MAC-Access List Configuration mode command denies traffic if the conditions defined in the
deny statement match.
Syntax
deny [disable-port] {any|{source source- wildcard} {any|{ destination destination- wildcard}} [vlan
•
vlan-id] [cos cos cos-wildcard] [ethtype eth-type]
•
disable-port — Indicates that the port is disabled if the condition is matched.
•
source — Specifies the MAC address of the host from which the packet was sent.
•
source-wildcard — Specifies wildcard bits to the source MAC address by placing 1s in bit positions
to be ignored.
•
any — Specify a MAC address and mask. For example, to set 00:00:00:00:10:XX use the Mac
address 00:00:00:00:10:00 and mask 00:00:00:00:00:FF.
•
destination — Specifies the MAC address of the host to which the packet is being sent.
•
destination-wildcard — Specifies wildcard bits to the destination MAC address by placing 1s in bit
positions to be ignored.
•
vlan-id — Specifies the vlan id of the packet. (Range: 1 - 4094)
•
cos — Specifies the packets's Class of Service (CoS). (Range: 0 - 7)
•
cos-wildcard — Specifies wildcard bits to be applied to the CoS.
•
eth-type — Specifies the packet's Ethernet type in hexadecimal format. (0 - 05dd-ffff {hex})
Default Configuration
No MAC access list is defined.
Command Mode
MAC-Access List Configuration mode.
User Guidelines
•
MAC BPDU packets cannot be denied.
•
Each MAC address in the ACL is a ACE (Access Control Element) and can only be removed by deleting
the ACL using the no ip access-list Global Configuration mode command or the Web-based interface.
97
ACL Commands