Overview
16-4
16.1.2 deny
MAC Extended ACL Config Commands
Use this command to specify packets to reject.
Syntax
{deny}{any|host source MAC address|source MAC/source MAC address mask} {any|host
destination MAC address|destination MAC/destination MAC address mask}[vlan vlan-
id] [dot1p dot1p-value] [type value|ip|ipv6|arp|vlan|wisp | 0-65535] [log] [rule-
precedence access-list-entry precedence]
Parameters
Usage Guidelines
The deny command disallows traffic based on layer 2 (data-link layer) information. The MAC access list denies
traffic from a particular source MAC address or any MAC address. It also has an option to disallow traffic from
a list of MAC addresses based on the source mask.
The MAC access list can be configured to disallow traffic based on VLAN information and ethernet type.
The most common ethernet type are:
•arp
•wisp
NOTE Use a decimal value representation of ethertypes to implement a
permit/deny/mark designation for a packet. The command set for Extended
MAC ACLs provides hexadecimal values for each listed ethertype. The switch
supports all ethertypes. Use the decimal equvilant of the ethertype listed or for
any other type of ethertype.
Source Mask Bit mask specifying the bits to match. Source wildcard can be any one
of the following:
•
xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx–Source MAC
address and mask.
•
any – Any source host.
•
host – Exact source MAC address to match.
Destination Mask Bit mask specifying the bits to match. Source wildcard can be any one
of the following:
•
xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx–Destination MAC
address and mask.
•
any – Any destination host.
•
host – Exact destination MAC address to match.
dot1p<0-7> 802.1p priority value to match.
rule-precedence<1-5000> Access-list entry precedence.
type
(<1-65535>|arp|ip|ipv6|vlan|wisp)
Ethertype value represented as integer or keywords for well-known
ethertypes like IP, IPv6, ARP etc.
vlan<1-4095> VLAN tag ID to match.
To Next Page
Loading...
Need help?
General
