Creates a MAC ACL deny and/or permit rule, applicable only to the EX3500 switch
Each deny or permit rule consists of a set of match criteria and an associated action, which is deny access for the deny rule and allow access for the permit rule. When applied to layer 2 traffic (between a EX35XX switch and the managed service platform or a VM interface) every packet is matched against the configured match criteria and in case of a match the packet is dropped or forwarded depending on the rule type.
EX35XX devices ( and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX35XX switch has an SNMP-based management agent that provides both in-band and out-of-band management access. The EX35XX switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the operating system provides controllers PoE and port management resources.
Note
To implement the EX3500 MAC ACL rule, apply the MAC ACL directly to a EX35XXwi device, or to an EX35XX profile. For more information, see access-group.ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2]
ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>| network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range <TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]
ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>| network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range <TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]
| [deny|permit] | Creates a deny or permit MAC ACL rule and configures the
rule parameters Every EX3500 MAC ACL rule provides a set of match criteria against which incoming and outgoing packets (to and from an EX35XX device) are matched. In case of a match, the packet is dropped or forwarded depending on the rule type. The packet is dropped in case of a deny rule, and forwarded for an permit rule. |
| [all|tagged-eth2| untagged-eth2] | Specifies the packet type
After specifying the packet type, configure the source and/or EX3500 MAC addresses to match. |
| [any| host <SOURCE-MAC>| network <SOURCE-MAC> <SOURCE-MAC-MASK>] | Enter the Source MAC addresses
For a deny rule, packets received from EX3500 device(s) matching the specified MAC address(es) are dropped. For a permit rule, packets received from EX3500 device(s) matching the specified MAC address(es) are forwarded. |
| [any|host <DEST-MAC>| network <DEST-MAC> <DEST-MAC-MASK>] | Enter the Destination MAC addresses
For a deny rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are dropped. For a permit rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are forwarded. |
| ether-type <0-65535> | Configures the Ethertype protocol number. The ether type
is a two-octet field within an Ethernet frame. It indicates the protocol
encapsulated in the payload of an Ethernet frame.
|
| ethertype-mask <0-65535> | Configures the Ethertype mask
|
| ex3500-time-range <TIME-RANGE-NAME> | Applies a specified EX3500 time range (should be existing and configured). The deny or
permit rule is applied during the time period specified in the EX3500 time range.
An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed). |
| vlan <1-4094> | Configures a VLAN ID representative of the shared SSID
each user employs to interoperate within the network (once authenticated by the
local RADIUS server)
|
| vlan-mask <1-4095> | Configures the VLAN ID bit mask value
|
| rule-precedence <1-128> | Configures a precedence for this EX3500 MAC ACL
|
nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan
20 rule-precedence 1
nx9500-6C8809(config-mac-acl-ex3500MacACL)#show context mac access-list ex3500MacACL ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1 nx9500-6C8809(config-mac-acl-ex3500MacACL)#
| no (mac-acl) | Removes this EX3500 deny/permit rule from the MAC ACL |