16-13
Usage Guidelines
When creating a Port ACL, the switch (by default) does not permit an ethertype WISP. First create a rule to
allow WISP to adopt access ports. Use the following CLI command to adopt access ports:
permit any any type wisp
The permit command in the MAC ACL disallows traffic based on layer 2 (data-link layer) information. The MAC
access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic
from a list of MAC addresses (based on the source mask).
The MAC access list can be configured to allow traffic based on VLAN information, ethernet type. Common
ethernet types include:
•arp
•wisp
•ip
• 802.1q
The switch (by default) does not allow layer 2 traffic to pass through the interface. To adopt an access port
through an interface, configure an access control list to allow ethernet wisp.
The last ACE in the access list is an implict deny statement.
Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is
allowed/denied based on the ACL configuration.
Example
The example below permits wisp based traffic from any source MAC address to any destination MAC address.
RFS7000(config-ext-macl)#permit any any type wisp
RFS7000(config-ext-macl)#
The example below permits arp based traffic from any source MAC address to any destination MAC address.
RFS7000(config-ext-macl)#permit any any type arp
RFS7000(config-ext-macl)#
The example below permits IP based traffic from a particular source MAC address to any destination MAC
address.
RFS7000(config-ext-macl)#permit host 11:22:33:44:55:66 any type ip
RFS7000(config-ext-macl)#
NOTE Use the following command to attach a MAC access list to a port on a layer 2
interface:
mac access-group <acl number/name> in
NOTE To apply an IP based ACL to an interface, a MAC access list entry to allow arp is
mandatory. MAC ACL always takes precedence over IP based ACL’s.
To Next Page
Loading...
Need help?
General
