deny (mac-acl)

Creates a deny rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for rejection. You can also use this command to modify an existing deny rule.

Note

Note

Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] 
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}

Parameters

deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] 
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}

<SOURCE-MAC> <SOURCE-MAC-MASK>

Configures the source MAC address and mask to match

  • <SOURCE-MAC> – Specify the source MAC address to match.

  • <SOURCE-MAC-MASK> – Specify the source MAC address mask.

Packets received from the specified MAC addresses are dropped.

any

Identifies all devices as the source to deny access. Packets received from any source are dropped.

host <SOURCE-HOST-MAC>

Identifies a specific host as the source to deny access

  • <SOURCE-HOST-MAC> – Specify the source host‘s exact MAC address to match. Packets received from the specified host are dropped.

<DEST-MAC> <DEST-MAC-MASK>

Configures the destination MAC address and mask to match

  • <DEST-MAC> – Specify the destination MAC address to match.

    • <DEST-MAC-MASK> – Specify the destination MAC address mask to match.

Packets addressed to the specified MAC addresses are dropped.

any

Identifies all devices as the destination to deny access. Packets addressed to any destination are dropped.

host <DEST-HOST-MAC>

Identifies a specific host as the destination to deny access

  • <DEST-HOST-MAC> – Specify the destination host‘s exact MAC address to match. Packets addressed to the specified host are dropped.

dot1p <0-7>

Configures the 802.1p priority value. Sets the service classes for traffic handling

  • <0-7> – Specify 802.1p priority from 0 - 7.

type [8021q|<1-65535>| aarp|appletalk| arp|ip|ipv6|ipx|mint| rarp|wisp]

Configures the EtherType value

An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:

  • 8021q – Indicates a 802.1q payload (0x8100)

  • <1-65535> – Indicates the EtherType protocol number

  • aarp – Indicates the Appletalk ARP payload (0x80F3)

  • appletalk – Indicates the Appletalk Protocol payload (0x809B)

  • arp – Indicates the ARP payload (0x0806)

  • ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)

  • ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)

  • ipx – Indicates the Novell‘s IPX payload (0x8137)

  • mint – Indicates the MiNT protocol payload (0x8783)

  • rarp – Indicates the reverse ARP payload (0x8035)

  • wisp – Indicates the WIPS (Wireless Internet Service Provider) payload (0x8783)

vlan <1-4095>

Configures the VLAN where the traffic is received

  • <1-4095> – Specify the VLAN ID from 1 - 4095.

log

Logs all deny events matching this entry. If a source and/or destination MAC address is matched (i.e., a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Usage Guidelines

The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of MAC addresses based on the source mask.

The MAC access list can disallow traffic based on the VLAN and EtherType.

  • ARP

  • WISP

  • IP

  • 802.1q

Note

Note

MAC ACLs always takes precedence over IP based ACLs.

The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACL‘s configuration.

Examples

rfs4000-229D58(config-mac-acl-test)#deny 41-85-45-89-66-77 ff-ff-ff-00-00-00 any
 vlan 1 rule-precedence 1
rfs4000-229D58(config-mac-acl-test)#deny host 00-01-ae-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#show context
mac access-list test
 deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
 deny host 00-01-AE-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#

The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host MAC address:

nx9500-6C8809(config-mac-acl-test)#deny any host 00:01:ae:00:22:11 vlan 1 log rule-precedence 1

The following example denies traffic between two hosts based on MAC addresses:

nx9500-6C8809(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45 vlan 1 log rule-precedence 1

Related Commands

no (mac-acl)

Removes a specified MAC deny access rule