Switch Management Guide
A
CCESS
 C
ONTROL
 L
ISTS
8-14
CLI – This shows that the entries in the mask override the precedence in 
which the rules are entered into the ACL. In the following example, 
packets with the source address 10.1.1.1 are dropped because the “deny 
10.1.1.1 255.255.255.255” rule has the higher precedence according to the 
“mask host any” entry.
Configuring a MAC ACL Mask
This mask defines the fields to check in the packet header. 
Command Usage
You must configure a mask for an ACL rule before you can bind it to a 
port.
Command Attributes
• Source/Destination Address Type – Use “Any” to match any 
address, “Host” to specify the host address for a single node, or “MAC” 
to specify a range of addresses. (Options: Any, Host, MAC; 
Default: Any)
• Source/Destination Bit Mask – Address of rule must match this 
bitmask.
• VID Bitmask – VLAN ID of rule must match this bitmask.
• Ethernet Type Bit Mask – Ethernet type of rule must match this 
bitmask.
• Packet Format Mask – A packet format must be specified in the rule.
Console(config)#access-list ip standard A2 24-3
Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 24-4
Console(config-std-acl)#deny 10.1.1.1 255.255.255.255
Console(config-std-acl)#exit
Console(config)#access-list ip mask-precedence in 24-8
Console(config-ip-mask-acl)#mask host any 24-9
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#










