mac access-group

This command either attaches a specific MAC ACL (Access Control List) identified by name to an interface or range of interfaces, or associates it with a VLAN ID, in a given direction. The name parameter must be the name of an existing MAC ACL.

An optional sequence number may be specified to indicate the order of this mac access list relative to other mac access lists already assigned to this interface and direction. A lower number indicates higher precedence order. If a sequence number is already in use for this interface and direction, the specified mac access list replaces the currently attached mac access list using that sequence number. If the sequence number is not specified for this command, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used.

This command specified in 'Interface Config' mode only affects a single interface, whereas the 'Global Config' mode setting is applied to all interfaces. The VLAN keyword is only valid in the 'Global Config' mode. The 'Interface Config' mode command is only available on platforms that support independent per-port class of service queue configuration.

An optional control-plane is specified to apply the MAC ACL on CPU port. The control packets like BPDU are also dropped because of the implicit deny all rule added to the end of the list. To overcome this, permit rules must be added to allow the control packets.



The keyword control-plane is only available in Global Config mode.


You should be aware that the out option may or may not be available, depending on the platform.
Format mac access-group name {{control-plane|in|out} vlan vlan-id {in|out}} [sequence 1–4294967295]
  • Global Config
  • Interface Config
Parameter Description
name The name of the Access Control List.
sequence A optional sequence number that indicates the order of this IP access list relative to the other IP access lists already assigned to this interface and direction. The range is 1 to 4294967295.
vlan-id A VLAN ID associated with a specific IP ACL in a given direction.

The following shows an example of the command.

(Extreme 220) (Config)#mac access-group mac1 control-plane