User Guide
Command Line Interface
4-96
4
permit, deny (MAC ACL)
This command adds a rule to a MAC ACL. The rule filters packets matching a 
specified MAC source or destination address (i.e., physical layer address), or 
Ethernet protocol type. Use the no form to remove a rule.
Syntax
[no] 
{
permit 
| 
deny
}
{
any
|
host
source | source address-bitmask} 
{
any
|
host
destination | destination address-bitmask}
[
vid
 vid vid-bitmask] [
ethertype 
protocol [protocol-bitmask]]
Note:- The default is for Ethernet II packets.
[no] 
{
permit 
| 
deny
}
tagged-eth2
{
any
|
host
source | source address-bitmask} 
{
any
|
host
destination | destination address-bitmask}
[
vid
 vid vid-bitmask] [
ethertype 
protocol [protocol-bitmask]]
[no] 
{
permit 
| 
deny
}
untagged-eth2
{
any
|
host
source | source address-bitmask} 
{
any
|
host
destination | destination address-bitmask}
[
ethertype 
protocol [protocol-bitmask]]
[no] 
{
permit 
| 
deny
}
tagged-802.3
{
any
|
host
source | source address-bitmask} 
{
any
|
host
destination | destination address-bitmask}
[
vid
 vid vid-bitmask] 
[no] 
{
permit 
| 
deny
}
untagged-802.3
{
any
|
host
source | source address-bitmask} 
{
any
|
host
destination | destination address-bitmask}
• tagged-eth2 – Tagged Ethernet II packets.
• untagged-eth2 – Untagged Ethernet II packets.
• tagged-802.3 – Tagged Ethernet 802.3 packets.
• untagged-802.3 – Untagged Ethernet 802.3 packets.
• any – Any MAC source or destination address. 
• host – A specific MAC address.
• source – Source MAC address.
• destination – Destination MAC address range with bitmask.
• address-
bitmask
16
 – Bitmask for MAC address (in hexidecimal format).
• vid – VLAN ID. (Range: 1-4093)
•
vid-bitmask – 
VLAN bitmask. (Range: 1-4093)
• protocol – A specific Ethernet protocol number. (Range: 600-fff hex.)
• protocol-bitmask – Protocol bitmask. (
Range: 600-fff hex.
)
16. For all bitmasks, “1” means care and “0” means ignore.










