mac

Commands for ACL

420

Note: when a ACL has multiple rules, traffic-statistic can't configure.

There are four kinds of packet head field based on concerned: MAC ACL, IP ACL,

MAC-IP ACL and IPv6 ACL; to some extent, ACL filter behavior (permit, deny) has a

conflict when a data packet matches multi types of four ACLs. The strict priorities are

specified for each ACL based on outcome veracity. It can determine final behavior of

packet filter through priority when the filter behavior has a conflict.

When binding ACL to port, there are some limits as below:

1. Each port can bind a MAC-IP ACL, a IP ACL, a MAC ACL and a IPv6 ACL;

2. When binding four ACLs and data packet matching the multi ACLs simultaneity,

the priority from high to low are shown as below,

Ingress IPv6 ACL

Ingress MAC-IP ACL

Ingress MAC ACL

Ingress IP ACL

Example: Binding AAA access-list to entry direction of port.

Switch(Config-If-Ethernet1/5)#ip access-group aaa in

36.18 {ip|ipv6|mac|mac-ip} access-group (Interface

Mode)

This command is not supported by switch.

36.19 mac access extended

Command: mac-access-list extended <name>

no mac-access-list extended <name>

Functions: Define a name-manner MAC ACL or enter access-list configuration mode,

“no mac-access-list extended <name>” command deletes this ACL.

Parameters: <name> name of access-list excluding blank or quotation mark, and it

must start with letter, and the length cannot exceed 32. (remark: sensitivity on capital or

small letter.)

Command Mode: Global mode

Default Configuration: No access-lists configured.

Usage Guide: After assigning this command for the first time, only an empty name

access-list is created and no list item included.

Examples: Create an MAC ACL named mac_acl.

Switch(config)# mac-access-list extended mac_acl