permit

Use this command to create a permit layer 2 access list rule entry.

Syntax

permit {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]
no permit {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]

Parameters

any Specifies that any source MAC address and optionally any destination MAC address is applied to this permit rule entry.
host source-macAddr Specifies a host source MAC address in the formats x:x:x:x:x:x or H.H.H to apply to this permit rule entry.
source-macAddr source-wildcard Specifies a source MAC address and mask to apply to this permit rule entry, in the formats x:x:x:x:x:x or H.H.H.
host destination-macAddr (Optional) Sepcifies a host destination MAC address in the formats x:x:x:x:x:x or H.H.H to apply to this permit rule entry.
destination-macAddr destination-wildcard (Optional) Specifies a destination MAC address and mask to apply to this permit rule entry, in the formats x:x:x:x:x:x or H.H.H.
dei (Optional) Specifies that the drop eligibility indicator in the VLAN tag is applied to this permit rule entry.
cos cos (Optional) Specifies that the indicated class of service value is applied to this permit rule entry.
vlan vlan (Optional) Specifies that the indicated VLAN identifier in the VLAN tag is applied to this permit rule entry or specifies the low end of a range of VLANs to apply to this permit rule entry.
vidhi (Optional) Specifies the high end of a range of VLAN identifiers in the VLAN tag to apply to this permit rule entry
ethertype data (Optional) Specifies that the indicated Ethernet II type (0x0 - 0xFFFF) to apply to this permit rule entry.
log | log-verbose (Optional) Enables syslog or verbose syslog messaging for an ACL rule hit.

Defaults

  • If any destination, a specific destination or host destination MAC address is not specified, no destination address is applied to this permit rule entry.
  • If the drop eligibility indicator keyword is not specified, the VLAN tag DEI flag is not applied to this permit rule entry.
  • If a CoS is not specified, CoS is not applied to this permit rule entry.
  • If a single or range of VLANs is not specified, the VLAN identifier is not applied to this permit rule entry.
  • If an Ethernet II type is is not specified, the Ethernet II type is not applied to this permit rule entry.
  • If a logging option is not specified, ACL rule logging is not enabled for this permit rule entry.

Mode

Configuration command, L2 ACL configuration mode.

Usage

Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

Source and destination wildcard provides an inverted mask (specifies the don‘t care bits as 1s). 00:00:00:00:00:00 specifies an exact match.

The any option is short hand for 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF.

The “no” version of this command removes the last (if duplicate entries exist) or the specified (if no duplicate entries exist) permit entry.

Examples

This example enters configuration mode for the list1 L2 ACL and configures a permit entry for packets containing (verbose logging is enabled for this entry):

  • Any source address
  • A destination host with a MAC address of 00:11:88:fd:8e:f0
  • VLANs 11 through 13
  • An Ethernet II type 800
    System(rw-config)->l2 access-list list1
    System(rw-cfg-l2-acl)->permit any host 00:11:88:fd:8e:f0 vlan 11 13 ethertype 800 log-verbose
    System(rw-cfg-l2-acl)->

This example enters configuration mode for the list2 L2 ACL and configures a permit entry for packets containing:

  • A source MAC address of 02:02:03:04:05:06 with a mask that ignores the first four hex characters in the address
  • A destination host with a MAC address of 00:11:88:fd:8e:f0
  • Class of Service 5
  • VLANs 11 through 13
  • An Ethernet II type 86dd
    System(rw-config)->l2 access-list list2
    System(rw-cfg-l2-acl)->permit 02:02:03:04:05:06 ff:ff:00:00:00:00 host 00:11:88:fd:8e:f0 cos 5 vlan 11 13 ethertype 86dd
    System(rw-cfg-l2-acl)->