Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

261

262

263

264

265

266

267

268

269

270

Use the monitor option only when you are using flow-based monitoring. For more information, refer to the Port

Monitoring chapter in the C9000 Series Configuration Guide.

NOTE: When ACL logging and byte counters are configured simultaneously, byte counters may

display an incorrect value. Configure packet counters with logging instead.

Commands

deny — configures a filter to drop packets.

permit — configures a filter to forward packets.

Extended MAC ACL Commands

The following commands configure Extended MAC ACLs. The C9000 supports both Ingress and Egress MAC ACLs.

When an access-list is created without any rule and then applied to an interface, ACL behavior reflects implicit permit.

NOTE: For more information, also refer to the Commands Common to all ACL Types and Common MAC Access List

Commands sections.

deny

To drop packets that match the filter criteria, configure a filter.

C9000 Series

Syntax

deny {any | host mac-address | mac-source-address mac-source-address-mask} {any

| host mac-address | mac-destination-address mac-destination-address-mask}

[ethertype-operator] [count [byte]] [log [interval minutes] [threshold-in-msgs

[count]] [monitor]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no deny {any | host mac-address | mac-source-address mac-source-

address-mask} {any | host mac-address | mac-destination-address mac-

destination-address-mask} command.

Parameters

any Enter the keyword any to drop all packets.

host

mac-address

Enter the keyword host and then enter a MAC address to drop packets with that host

address.

mac-source-

address

Enter a MAC address in nn:nn:nn:nn:nn:nn format.

mac-source-

address-mask

Specify which bits in the MAC address must match.

The MAC ACL supports an inverse mask; therefore, a mask of ff:ff:ff:ff:ff:ff allows entries

that do not match and a mask of 00:00:00:00:00:00 only allows entries that match

exactly.

mac-destination-

address

Enter the destination MAC address and mask in nn:nn:nn:nn:nn:nn format.

mac-destination-

address-mask

Specify which bits in the MAC address must match.

The MAC ACL supports an inverse mask; therefore, a mask of ff:ff:ff:ff:ff:ff allows entries

that do not match and a mask of 00:00:00:00:00:00 only allows entries that match

exactly.

ethertype

operator

(OPTIONAL) To filter based on protocol type, enter one of the following Ethertypes:

• ev2 - is the Ethernet II frame format

• llc - is the IEEE 802.3 frame format

• snap - is the IEEE 802.3 SNAP frame format

Access Control Lists (ACL) 263