Filter
Top Products
CLI (Command Line Interface)
221
NXA-ENET24 - Software Management Guide
MAC ACL Commands (Cont.)
Command Function
mask (Cont.) Example - This example creates an Egress MAC ACL:
Console(config)#access-list mac M5
Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any
Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-
ff-ff any vid 3 ethertype 0806
Console(config-mac-acl)#end
Console#show access-list
MAC access-list M5:
deny tagged-802.3 host 00-11-11-11-11-11 any
deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806
Console(config)#access-list mac mask-precedence out
Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any vid
Console(config-mac-mask-acl)#exit
Console(config)#interface ethernet 1/5
Console(config-if)#mac access-group M5 out
Console(config-if)#end
Console#show access-list
MAC access-list M5:
deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806
deny tagged-802.3 host 00-11-11-11-11-11 any
MAC ingress mask ACL:
mask pktformat host any vid ethertype
Console#
show access-list mac mask-
precedence
This command shows the ingress
or egress rule masks for MAC
ACLs.
Syntax:
show access-list mac mask-precedence [in | out]
• in – Ingress mask precedence for ingress ACLs.
• out – Egress mask precedence for egress ACLs.
Command Mode: Privileged Exec
Example:
Console#show access-list mac mask-precedence
MAC egress mask ACL:
mask pktformat host any vid ethertype
Console#
permit offset, deny offset
(MAC ACL)
Use this command to add a rule
to a MAC ACL. The rule fliters
packets matching the specified
data pattern starting at the offset.
Use the no form to remove a rule.
Syntax:
{permit | deny} offset offset_value length bitmask data
no {permit | deny} offset offset_value length bitmask data
• offset_value – Byte offset from the beginning of the frame.
• length – Length of the data pattern to match.
• bitmask – Decimal number representing the data bits to match.
• data – Data to match, entered as a sequence of hexadecimal letters with
no separators.
Default Setting: None
Command Mode: MAC ACL
Command Usage: This command is used to filter frames that match a
specified pattern, and can be used to filter traffic associated with precisely
defined events.
The bitmask is a decimal number (representing an equivalent bit mask)
that is applied to the data. Enter a decimal number, where the equivalent
binary bit “1” means to match a bit and “0” means to ignore a bit.
Packet filtering based on arbitrary offsets and data patterns can adversely
affect switch throughput. Try to avoid using packet
filtering based on pattern matching unless this is absolutely necessary to
solve a specific problem.
Example:
This example shows how to filter any Ethernet II packets directed to the IP
address 10.1.0.23 that have the Don’t Fragment flag set.
Console(config)#access-list mac jerry
Console(config-mac-acl)#permit offset ???