16-6
Motorola RF Switch CLI Reference Guide
Usage Guidelines
The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC
access list denies traffic from a particular source MAC address or any MAC address. It can
also disallow traffic from a list of MAC addresses based on the source mask.
The MAC access list can disallow traffic based on the VLAN and ethertype.
The most common ethertypes are:
• arp
• wisp
• ip
• 802.1q
The last ACE in the access list is an implicit deny statement.
Whenever the interface receives the packet, its content is checked against all the ACEs in
the ACL. It is allowed/denied based on the ACL configuration.
16.1.2.1 Example - Denying Traffic from any MAC Address
The MAC ACL (in the example below) denies traffic from any source MAC address to a
particular host MAC address:
RFSwitch(config-ext-macl)#deny any host 00:01:ae:00:22:11
RFSwitch(config-ext-macl)#
16.1.2.2 Example - Denying dot1q Tagged Traffic
The MAC ACL (in the example below) denies dot1q tagged traffic from VLAN interface 5:
RFSwitch(config-ext-macl)#deny any any vlan 5 type 8021q
RFSwitch(config-ext-macl)#
16.1.2.3 Example - Denying Traffic Between Two MAC Based Hosts
The example below denies traffic between two hosts based on MAC addresses:
RFSwitch(config-ext-macl)#deny host 01:02:fe:45:76:89 host
01:02:89:78:78:45
RFSwitch(config-ext-macl)#
NOTE: MAC ACL always takes precedence over IP based ACL's.