Chapter 7: Quality of Service Commands 651
The special command form {deny | permit} any any is used to match all
Ethernet layer 2 packets, and is the equivalent of the IP access list “match every”
rule.
The permit command’s optional attribute rate-limit allows you to permit only
the allowed rate of traffic as per the configured rate in kbps, and burst-size in
kbytes.
The following shows an example of the command.
(CN1610) (Config)#mac access-list extended mac1
(CN1610) (Config-mac-access-list)#permit 00:00:00:00:aa:bb
ff:ff:ff:ff:00:00 any rate-limit 32 16
(CN1610) (Config-mac-access-list)#exit
mac access-group This command either attaches a specific MAC Access Control List (ACL)
identified by
name to an interface or range of interfaces, or associates it with a
VLAN ID, in a given direction. The
name parameter must be the name of an
existing MAC ACL.
An optional sequence number may be specified to indicate the order of this mac
access list relative to other mac access lists already assigned to this interface and
direction. A lower number indicates higher precedence order. If a sequence
number is already in use for this interface and direction, the specified mac access
list replaces the currently attached mac access list using that sequence number. If
the sequence number is not specified for this command, a sequence number that
is one greater than the highest sequence number currently in use for this interface
and direction is used.
This command specified in 'Interface Config' mode only affects a single
interface, whereas the 'Global Config' mode setting is applied to all interfaces.
The VLAN keyword is only valid in the 'Global Config' mode.
An optional control-plane is specified to apply the MAC ACL on CPU port. The
control packets like BPDU are also dropped because of the implicit deny all rule
added to the end of the list. To overcome this, permit rules must be added to allow
the control packets.
The keyword control-plane is only available in Global Config mode.
To Next Page
Loading...
