Configuration Guide Configuring ACL
If an MAC extended ACL is configured to permit or deny some IP packets, run the ping command to check whether
ACEs of this ACL takes effect on the specified interface. For example, an MAC extended ACL is configured to prevent a
device interface from receiving IP packets (Ethernet type is 0x0800), run the ping command for verification.
If an MAC extended ACL is configured to permit or deny some non-IP packets (e.g. ARP packets), also run the ping
command to check whether ACEs of this ACL takes effect on the specified interface. For example, to filter out ARP
packets, run the ping command for verification.
You can also construct L2 packets meeting some specified characteristics to check whether the MAC extended ACL
takes effect. Typically, prepare two PCs, construct and send L2 packets on one PC, enable packet capturing on another
PC, and check whether packets are forwarded as expected (forwarded or blocked) according to the action specified in
the ACEs.
Related Commands
Configuring an MAC Extended ACL
mac access-list extended {acl-name | acl-id }
acl-name: Indicates the name of an MAC extended ACL. If this option is configured, a named ACL is
created. The name is a string of 1 to 99 characters. The ACL name cannot start with numbers (0–9), "in", or
"out".
acl-id: Indicates the ID that uniquely identifies an MAC extended ACL. If this option is configured, a
numbered ACL is created. The value range of acl-id is 700–799.
Global configuration mode
Run this command to configure an MAC extended ACL and enter MAC extended ACL configuration mode.
You can configure an MAC extended ACL to control users' access to network resources by checking the L2
information of Ethernet packets.
Adding ACEs to an MAC Extended ACL
Use either of the following methods to add ACEs to an MAC extended ACL:
Add ACEs in MAC extended ACL configuration mode.
[sn] { permit | deny } {any | host src-mac-addr } {any | host dst-mac-addr } [ethernet-type] [cos cos [inner
cos ]] [ time-range tm-rng-name ]
sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
To Next Page
Loading...
Need help?
General
