Filter
Top Products
2-636
Catalyst 6500 Series Switch Command Reference—Release 8.4
OL-6244-01
Chapter 2 Catalyst 6500 Series Switch and ROM Monitor Commands
set security acl mac
• Must start with an alpha character and must be unique across all ACLs of all types
• Case sensitive
• Cannot be a number
• Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer
The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of
source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff).
Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these
guidelines:
• The source_mask is required; 0 indicates a care bit; 1 indicates a don’t-care bit.
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0
255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
The dest_mac_spec is a 48-bit destination MAC address and mask and entered in the form of
dest_mac_address dest_mac_address_mask (for example, 08-00-00-00-02-00/ff-ff-ff-00-00-00). Place
ones in the bit positions you want to mask. The destination mask is mandatory. When you specify the
dest_mac_spec, use the following guidelines:
• Use a 48-bit quantity in 6-part dotted-hexadecimal format for a source address and mask.
• Use the keyword any as an abbreviation for a source and source-wildcard of 0-0-0-0-0-0-0
ff-ff-ff-ff-ff-ff.
• Use host source as an abbreviation for a destination and destination-wildcard of destination
0-0-0-0-0-0.
Valid names for Ethertypes (and corresponding numbers) are EtherTalk (0x809B), AARP (0x8053),
dec-mop-dump (0x6001), dec-mop-remote-console (0x6002), dec-phase-iv (0x6003), dec-lat (0x6004),
dec-diagnostic-protocol (0x6005), dec-lavc-sca (0x6007), dec-amber (0x6008), dec-mumps (0x6009),
dec-lanbridge (0x8038), dec-dsm (0x8039), dec-netbios (0x8040), dec-msdos (0x8041),
banyan-vines-echo (0x0baf), xerox-ns-idp (0x0600), xerox-address-translation (0x0601), and
IPv4 (0x8000).
Use the show security acl command to display the list.
Note With PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do
not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000
packets per second and the second flow is 10 packets per second, both flows return the same result with
a PFC2. PFC3 and later PFCs do not have this limitation.
Examples This example shows how to block traffic to an IP address:
Console> (enable) set security acl mac MACACL1 deny 01-02-02-03-04-05
MACACL1 editbuffer modified. User ‘commit’ command to apply changes.
Console> (enable)
Related Commands clear security acl
clear security acl capture-ports
clear security acl map