NETGEAR S3300 User Manual page 275

Note: To create a new MAC ACL, use the MAC ACL screen. See
on page 274.

To add rules to a MAC ACL:
1. Select Security > ACL > Basic > MAC Rules.
2. From the ACL Name list, select the MAC ACL for which to create or update a rule.
3. In the Sequence Number field, specify ID for the rule.
4. Configure the ACL rule criteria by selecting options or specifying values as follows:
• Action. Specify what action should be taken if a packet matches the rule's criteria:
- Permit. Forwards packets that meet the ACL criteria.
- Deny. Drops packets that meet the ACL criteria.
• Assign Queue. Specifies the hardware egress queue identifier used to handle all
packets matching this ACL rule. Enter an identifying number from 0–7 in this field.
• Mirror Interface. Specifies the specific egress interface to which the matching traffic
stream must be copied, in addition to being forwarded normally by the switch. This
field cannot be set if a redirect interface is already configured for the ACL rule. This
field is visible for a Permit action.
• Redirect Interface. Specifies the specific egress interface where the matching traffic
stream is forced, bypassing any forwarding decision normally performed by the
device.
• Match Every. Requires a packet to match the criteria of this ACL. Select True or
False from the drop-down menu. Match Every is exclusive to the other filtering rules,
so if Match Every is True, the other rules on the screen are not available.
• CoS. Requires a packet's class of service (CoS) to match the CoS value listed here.
Enter a CoS value between 0–7 to apply this criteria.
• Destination MAC. Requires an Ethernet frame's destination port MAC address to
match the address listed here. Enter a MAC address in this field. The valid format is
xx:xx:xx:xx:xx:xx.
• Destination MAC Mask. If desired, enter the MAC Mask associated with the
Destination MAC to match. The MAC address mask specifies which bits in the
destination MAC to compare against an Ethernet frame. Use Fs and zeros in the MAC
mask, which is in a wildcard format. An F means that the bit is not checked, and a
zero in a bit position means that the data must equal the value given for that bit. For
example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is 00:00:ff:ff:ff:ff, all
MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal
number). A MAC mask of 00:00:00:00:00:00 matches a single MAC address.
• EtherType Key. Requires a packet's EtherType to match the EtherType you select.
Select the EtherType value from the drop-down menu. If you select User Value, you
can enter a custom EtherType value.
S3300 Smart Managed Pro Switch
Managing Device Security
275
MAC ACL