mac

ManualsBrandsip ManualsNetworkingipv6

431

432

433

434

435

436

437

438

439

440

Commands for Self-defined ACL

434

standard self-defined ACL.

Parameter: <num> is the access-list No. from 1200 to 1299 in decimal notation; deny if

rules are matching, deny access; permit if rules are matching, permit access;

<any-source-mac> any source address; <any-destination-mac> any destination

address; <host_smac>, <smac> source MAC address; <smac-mask> mask (reverse

mask) of source MAC address; <host_dmac> , <dmac> destination MAC address;

<dmac-mask> mask (reverse mask) of destination MAC address; untagged-eth2

format of untagged ethernet II packet; tagged-eth2 format of tagged ethernet II packet;

untagged-802-3 format of untagged ethernet 802.3 packet; tagged-802-3 format of

tagged ethernet 802.3 packet. cos and vlanId can be configured when the tagged-eth2

or tagged-802-3 is configured. cos can configure <vlaue> only, range is 0-7, matching a

single value; it also can configure <mask> then, range is 0-7, matching multiple cos

value with <value>. vlanId can configure <vlaue> only, range is 1-4095, matching a

single value; vlanId also can configure <mask>, range is 0-4094, matching multiple

vlanId value with <value>. The <value> and <mask> of every window are 2Bytes length

in hexadecimal notation.

Command Mode: Global Mode

Default: No any access-list configured

Usage Guide: When users specify the specified <num> for the first time, create the ACL

with this serial number, then add the entry into this ACL.

Example: Permit tagged-eth2 of any source MAC address and any destination MAC

address. Permit the packets that the first and the second bytes of the start of l3 is 0x4501.

Permit the packets that the forth byte of the start of l4 is 0xFF.

Switch(config)#userdefined-access-list standard offset window1 l3 0 window2 l4 1

Switch(config)#userdefined-access-list standard 1200 permit any-source-mac

any-destination-mac tagged-eth2 window1 4501 FFFF window2 00FF 00FF

Configure a rule in the same list to deny untagged-eth2 of any source MAC address and

any destination MAC address. Permit the packets that the fifth and the sixth bytes of the

start of l3 is 0xFFAA.

Switch(config)#userdefined-access-list standard offset window3 l3 2

Switch(config)#userdefined-access-list standard 1200 deny any-source-mac

any-destination-mac untagged-eth2 window3 FFAA FFFF

37.4 userdefined-access-list extended

Command: userdefined-access-list extended <num> {deny | permit}

{untagged-eth2 | tagged-eth2 [cos <value> [<mask>]] [vlanId <value> [<mask>]] |

untagged-802-3 | tagged-802-3 [cos <value> [<mask>]] [vlanId <value> [<mask>]]}