Reference Guide
Usage Information
When you use the log option, the CP processor logs detail the packets that match.
Depending on how many packets match the log entry and at what rate, the CP
may become busy as it has to log these packet details.
By default, 10 ACL logs are generated if you do not specify the threshold explicitly.
The default frequency at which ACL logs are generated is five minutes. By default,
flow-based monitoring is not enabled.
Use the monitor option only when you are using flow-based monitoring. For
more information, refer to the Port Monitoring chapter in the C9000 Series
Configuration Guide.
NOTE: When ACL logging and byte counters are configured simultaneously,
byte counters may display an incorrect value. Configure packet counters with
logging instead.
Related
Commands
deny — configures a filter to drop packets.
permit — configures a filter to forward packets.
Extended MAC ACL Commands
The following commands configure Extended MAC ACLs. The C9000 supports both Ingress and Egress
MAC ACLs.
When an access-list is created without any rule and then applied to an interface, ACL behavior reflects
implicit permit.
NOTE: For more information, also refer to the Commands Common to all ACL Types and Common
MAC Access List Commands sections.
deny
To drop packets that match the filter criteria, configure a filter.
C9000 Series
Syntax
deny {any | host mac-address | mac-source-address mac-source-
address-mask} {any | host mac-address | mac-destination-address
mac-destination-address-mask} [ethertype-operator] [count
[byte]] [log [interval minutes] [threshold-in-msgs [count]]
[monitor]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s
sequence number.
Access Control Lists (ACL)
319