Gigabit Ethernet Switch Management Guide
C
ONFIGURING
THE
 S
WITCH
3-76
CLI – This example shows how to create an Ingress MAC ACL and bind 
it to a port. You can then see that the order of the rules have been changed 
by the mask.
Binding a Port to an Access Control List
After configuring the Access Control Lists (ACL), you can bind the ports 
that need to filter traffic to the appropriate ACLs. You can only bind a port 
to one ACL for each basic type – IP ingress, IP egress, MAC ingress and 
MAC egress.
Command Usage
• You must configure a mask for an ACL rule before you can bind it to 
a port.
• This switch supports ACLs for both ingress and egress filtering. 
However, you can only bind one IP ACL and one MAC ACL to any 
port for ingress filtering, and one IP ACL and one MAC ACL to any 
port for egress filtering. In other words, only four ACLs can be bound 
to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL 
and Egress MAC ACL.
Console(config)#access-list mac M4 3-136
Console(config-mac-acl)#permit any any 3-137
Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 
ff-ff-ff-ff-ff-ff any vid 3 3-137
Console(config-mac-acl)#end
Console#show access-list 3-148
MAC access-list M4:
 permit any any
 deny tagged-eth2 host 00-11-11-11-11-11 any vid 3
Console(config)#access-list mac mask-precedence in 3-139
Console(config-mac-mask-acl)#
mask pktformat ff-ff-ff-ff-ff-ff any 
vid
3-140
Console(config-mac-mask-acl)#exit
Console(config)#interface ethernet 1/12 3-168
Console(config-if)#mac access-group M4 in 3-144
Console(config-if)#end
Console#show access-list
MAC access-list M4:
 deny tagged-eth2 host 00-11-11-11-11-11 any vid 3
 permit any any
MAC ingress mask ACL:
 mask pktformat host any vid
Console#










