mac access-list resequence

Use this command to renumber the sequence numbers of the entries for specified MAC access list with the given increment value starting from a particular sequence number. The command is used to edit the sequence numbers of ACL (Access Control List) rules in the ACL and change the order in which entries are applied. This command is not saved in startup configuration and is not displayed in running configuration.



If the generated sequence number exceeds the maximum sequence number, the ACL rule creation fails and an informational message is displayed.
Default 10
Format mac access-list resequence {name| id } starting-sequence-number increment
Mode Global Config
Parameter Description
starting-sequence-number The sequence number from which to start. The range is 1–2147483647. The default is 10.
increment The amount to increment. The range is 1–2147483647. The default is 10.

{deny | permit} (MAC ACL)

This command creates a new rule for the current MAC access list. A rule may either deny or permit traffic according to the specified classification fields. At a minimum, the source and destination MAC value must be specified, each of which may be substituted using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.

Format [sequence-number] {deny|permit} {srcmac | any} {dstmac | any} [ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095}] [cos 0-7] [[log] [time-range time-range-name] [assign-queue queue-id]] [unit/slot/port][rate-limit rate burst-size]
Mode Mac-Access-List Config


An implicit deny all MAC rule always terminates the access list.

The sequence-number specifies the sequence number for the ACL rule. The sequence number is specified by the user or is generated by device.

If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in ACL is used and this rule is placed in the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails. A rule cannot be created that duplicates an already existing one and a rule cannot be configured with a sequence number that is already used for another rule.

For example, if user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, the user can move the ACL rule to a different position in the ACL.

The Ethertype may be specified as either a keyword or a four-digit hexadecimal value from 0x0600-0xFFFF. The currently supported ethertypekey values are: appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp. Each of these translates into its equivalent Ethertype value(s).

Click to expand in new window

Ethertype Keyword and 4-digit Hexadecimal Value

Ethertype Keyword Corresponding Value
appletalk 0x809B
arp 0x0806
ibmsna 0x80D5
ipv4 0x0800
ipv6 0x86DD
ipx 0x8037
mplsmcast 0x8848
mplsucast 0x8847
netbios 0x8191
novell 0x8137, 0x8138
pppoe 0x8863, 0x8864
rarp 0x8035

The vlan and cos parameters refer to the VLAN identifier and 802.1p user priority fields, respectively, of the VLAN tag. For packets containing a double VLAN tag, this is the first (or outer) tag.

The time-range parameter allows imposing time limitation on the MAC ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.

The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permit rule.



The special command form {deny | permit} any any is used to match all Ethernet layer 2 packets, and is the equivalent of the IP access list “match every” rule.

The permit command‘s optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

The following shows an example of the command.

(Extreme 220) (Config) #mac access-list extended mac1
(Extreme 220) (Config-mac-access-list)#permit 00:00:00:00:aa:bb ff:ff:ff:ff:00:00 any rate-limit 32 16
(Extreme 220) (Config-mac-access-list)#exit