Configure an Ethernet ACE

Configure an Ethernet ACE to filter on Ethernet parameters.

You do not need to configure Ethertype for IPv6 filters. If you try to configure an Ethertype other than 0x86dd or IPv6 the device displays an error.

Before you begin

  • The ACL exists.

  • The ACE exists.

About this task

The eq and mask parameters specify an operator for a field match condition: equal to or mask. The mask operator is an implied eq on the mask bits.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure an ACE for the destination or source MAC address attribute:

    filter acl ace ethernet <1-2048> <1-2000> <dst-mac|src-mac> eq WORD<1–1024>

    OR

    filter acl ace ethernet <1-2048> <1-2000> <dst-mac|src-mac> mask WORD<1–1024> WORD<1–1024>
    Note

    Note

    This is supported only for IPv4 filters.

  3. Configure an ACE for an Ethernet type attribute:

    filter acl ace ethernet <1-2048> <1-2000> ether-type eq WORD<1–200>

  4. Configure an ACE for a port attribute:

    filter acl ace ethernet <1-2048> <1-2000> port eq {slot/port[sub-port]}

  5. Configure an ACE for a VLAN attribute:

    filter acl ace ethernet <1-2048> <1-2000> vlan-id eq <1-4059>

    OR

    filter acl ace ethernet <1-2048> <1-2000> vlan-id mask <1-4059> <0-0xFFF>

  6. Configure an ACE for a VLAN tagged priority attribute:

    filter acl ace ethernet <1-2048> <1-2000> vlan-tag-prio eq <0–7>

    OR

    filter acl ace ethernet <1-2048> <1-2000> vlan-tag-prio mask <0–7> <0–0x7>

  7. Ensure the configuration is correct:

    show filter acl ethernet <1-2048> <1-2000>

  8. Optionally, delete the individual attributes from the Ethernet portion of the ACE:

    no filter acl ace ethernet <1-2048> <1-2000>

  9. Optionally, delete all the attributes from the Ethernet portion of the ACE:

    default filter acl ace ethernet <1-2048> <1-2000>

Variable definitions

Use the data in the following table to use the filter acl ace ethernet command.

Variable

Value

<0-7>

Specifies the priority bits (3-bit field) from the 802.1Q/p tag.

<0–0x7>

Specifies the mask value for VLAN tagged priority attribute.

<0-0xFFF>

Specifies the mask value for a VLAN attribute.

For example:

filter acl ace ethernet 10 10 vlan-id eq 10

filter acl ace ethernet 10 10 vlan-id mask 1025 0xF

<1-2048>

Specifies the ACL ID.

<1-2000>

Specifies the ACE ID.

<1-4059>

Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs 1 to 4059 are configurable and the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1.

{slot/port[/sub-port]}

Identifies a single slot and port. If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

WORD<1–200>

Specifies an ether-type name or number:

  • 0x0–0xffff

  • ip, arp, ipx802dot3, ipx802dot2, ipxSnap, ipxEthernet2, appleTalk, decLat, decOther, sna802dot2, snaEthernet2, netBios, xns, vines, ipv6, rarp, or PPPoE

    Note:

    Ethernet ACE filter configured with ether-type eq ipx802dot3 does not match the packet with format destination MAC address, source MAC address, length, 0xFFFF, payload and FCS.

    Ethernet ACE filter configured with ether-type eq ipx802dot2 does not match the packet with format destination MAC address, source MAC address, length, 0xE0E0, payload and FCS.

WORD<1–1024>

If the operator is mask, the WORD<1–1024> parameter is {“”|1..48 ,|mac address mask 0x0..FFFFFFFFFFFF}}

If the operator is eq, the WORD<1–1024> parameter is the destination or source MAC address: AA:BB:CC:DD:EE:FF

For example:

filter acl ace ethernet 10 10 dst-mac eq 0x01:00:5:00:00:01

filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5:00:00:01 24

filter acl ace ethernet 10 10 src-mac mask 0x01:00:5:00:00:01 0xFFFFFFFF0000