Use this command to create a permit layer 2 access list rule entry.
| any | Specifies that any source MAC address and optionally any destination MAC address is applied to this permit rule entry. |
| host source-macAddr | Specifies a host source MAC address in the formats x:x:x:x:x:x or H.H.H to apply to this permit rule entry. |
| source-macAddr source-wildcard | Specifies a source MAC address and mask to apply to this permit rule entry, in the formats x:x:x:x:x:x or H.H.H. |
| host destination-macAddr | (Optional) Sepcifies a host destination MAC address in the formats x:x:x:x:x:x or H.H.H to apply to this permit rule entry. |
| destination-macAddr destination-wildcard | (Optional) Specifies a destination MAC address and mask to apply to this permit rule entry, in the formats x:x:x:x:x:x or H.H.H. |
| dei | (Optional) Specifies that the drop eligibility indicator in the VLAN tag is applied to this permit rule entry. |
| cos cos | (Optional) Specifies that the indicated class of service value is applied to this permit rule entry. |
| vlan vlan | (Optional) Specifies that the indicated VLAN identifier in the VLAN tag is applied to this permit rule entry or specifies the low end of a range of VLANs to apply to this permit rule entry. |
| vidhi | (Optional) Specifies the high end of a range of VLAN identifiers in the VLAN tag to apply to this permit rule entry |
| ethertype data | (Optional) Specifies that the indicated Ethernet II type (0x0 - 0xFFFF) to apply to this permit rule entry. |
| log | log-verbose | (Optional) Enables syslog or verbose syslog messaging for an ACL rule hit. |
Configuration command, L2 ACL configuration mode.
Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.
Source and destination wildcard provides an inverted mask (specifies the don‘t care bits as 1s). 00:00:00:00:00:00 specifies an exact match.
The any option is short hand for 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF.
The “no” version of this command removes the last (if duplicate entries exist) or the specified (if no duplicate entries exist) permit entry.
This example enters configuration mode for the list1 L2 ACL and configures a permit entry for packets containing (verbose logging is enabled for this entry):
System(rw-config)->l2 access-list list1 System(rw-cfg-l2-acl)->permit any host 00:11:88:fd:8e:f0 vlan 11 13 ethertype 800 log-verbose System(rw-cfg-l2-acl)->
This example enters configuration mode for the list2 L2 ACL and configures a permit entry for packets containing:
System(rw-config)->l2 access-list list2 System(rw-cfg-l2-acl)->permit 02:02:03:04:05:06 ff:ff:00:00:00:00 host 00:11:88:fd:8e:f0 cos 5 vlan 11 13 ethertype 86dd System(rw-cfg-l2-acl)->
Print
this page
Email this topic
Feedback
View PDF
Download EPUB