Filter
Top Products
288 ACL Commands
{deny|permit}
Implementation Notes
• If the CPU MA table (This MAC address table is separate from the software MAC
address table) is filled so that the ACL logic cannot create another MA table entry, all
frames from that source address will be dropped.
• If the ACL rules are changed or ACLs are unapplied to the port, all CPU MA table entries
associated with that port will be flushed from the table. If ACLs are unapplied (and port
security is not enabled on the port), the hardware is configured to no longer trap frames
from that port to the CPU.
• ACLs take precedence over port-based security configuration. See Implementation Notes
on page 164 in the Security Commands chapter for details.
{deny|permit}
This command creates a new rule for the selected MAC access list. Each rule is appended to
the list of configured rules for the list. Note that an implicit “deny all” MAC rule always
terminates the access list.
Syntax
{deny|permit} {srcmac srcmacmask | any} {{dstmac dstmacmask | any | bpdu}
[
ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095 | range 0-4095 0-4095}] [cos 0-7]
[
secondary-vlan {eq 0-4095 | range 0-4095 0-4095}] [secondary-cos 0-7]
[
assign-queue queue-id_0-6] [redirect slot/port]
Parameters
deny | permit
The rule may either deny or permit traffic according to the specified
classification fields.
srcmac
srcmacmask
|
any} {dstmac
dstmacmask |
any | bpdu
Note: In SFTOS 2.4.1, only the source MAC is supported.
The source (
srcmac srcmacmask | any) and destination (dstmac
dstmacmask
| any | bpdu) MAC value and mask pairs must be specified,
each of which may be substituted using the keyword
any to indicate a match
on any value in that field. (See the Usage section, below.)
The
bpdu keyword may be specified for the destination MAC value/mask
pair indicating a well-known BPDU MAC value of 01-80-c2-xx-xx-xx (hex),
where 'xx' indicates a don't care.
ethertypekey (Optional) The Ethertype (ethertypekey) may be specified as either a
keyword or a four-digit hexadecimal value from 0x0600 to 0xFFFF. The
currently supported
ethertypekey keyword values are: appletalk, arp,
ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios,
novell, pppoe, rarp. Each of these translates into its equivalent Ethertype
value(s). (See the Usage section, below.)
vlan {eq
0-4095 | range
0-4095 0-4095}
(Optional) To specify a filter on a VLAN, enter vlan eq followed by the VLAN
ID. Or, for a VLAN range, use
vlan range, followed by the lowest VLAN ID
and then the highest VLAN ID in the range.
cos 0-7
(Optional) Use the cos keyword to specify a filter based on the Class of
Service value (the only tag in a single tagged packet or the first or outer
802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7.