This command creates a new rule for the current MAC access list. A rule may either deny or permit traffic according to the specified classification fields. At a minimum, the source and destination MAC value must be specified, each of which may be substituted using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.
| Format | [sequence-number] {deny|permit} {srcmac| any} {dstmac | any} [ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095}] [cos 0-7] [[log] [time-range time-range-name] [assign-queue queue-id]] [{mirror | redirect} unit/slot/port][rate-limit rate burst-size] [sflow-remote-agent] |
| Mode | Mac-Access-List Config |
The sequence-number specifies the sequence number for the ACL rule. The sequence number is specified by the user or is generated by device.
If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in ACL is used and this rule is placed in the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails. A rule cannot be created that duplicates an already existing one and a rule cannot be configured with a sequence number that is already used for another rule.
For example, if user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, the user can move the ACL rule to a different position in the ACL.
The Ethertype may be specified as either a keyword or a four-digit hexadecimal value from 0x0600-0xFFFF. The currently supported ethertypekey values are: appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp. Each of these translates into its equivalent Ethertype value(s).
| Ethertype Keyword | Corresponding Value |
|---|---|
| appletalk | 0x809B |
| arp | 0x0806 |
| ibmsna | 0x80D5 |
| ipv4 | 0x0800 |
| ipv6 | 0x86DD |
| ipx | 0x8037 |
| mplsmcast | 0x8848 |
| mplsucast | 0x8847 |
| netbios | 0x8191 |
| novell | 0x8137, 0x8138 |
| pppoe | 0x8863, 0x8864 |
| rarp | 0x8035 |
The vlan and cos parameters refer to the VLAN identifier and 802.1p user priority fields, respectively, of the VLAN tag. For packets containing a double VLAN tag, this is the first (or outer) tag.
The time-range parameter allows imposing time limitation on the MAC ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time- range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.
The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permitrule.
Note the following:
- The special command form {deny | permit} any any is used to match all Ethernet layer 2 packets, and is the equivalent of the IP access list "match every" rule.
The permit command's optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in Kb/s, and burst-size in kbytes.
The sflow-remote-agent parameter configures the sFlow sampling action. This action, if configured, copies the packet matching the rule to the remote sFlow agent.
Example: The following shows an example of the command.
(Routing) (Config)#mac access-list extended mac1 (Routing) (Config-mac-access-list)#permit 00:00:00:00:aa:bb ff:ff:ff:ff:00:00 any rate-limit 32 16 (Routing) (Config-mac-access-list)#exit
