ex3500 (mac-acl-config-commands)

Creates a MAC ACL deny and/or permit rule, applicable only to the EX3500 switch

Each deny or permit rule consists of a set of match criteria and an associated action, which is deny access for the deny rule and allow access for the permit rule. When applied to layer 2 traffic (between a EX3500 switch and the WiNG managed service platform or a WiNG VM interface) every packet is matched against the configured match criteria and in case of a match the packet is dropped or forwarded depending on the rule type.

EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources.

Note

Note

To implement the EX3500 MAC ACL rule, apply the MAC ACL directly to a EX3500 device, or to an EX3500 profile. For more information, see GUID-165BDC09-66E9-4193-B3D1-805296F465BB.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2]
ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>|
network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> 
<DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range 
<TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]

Parameters

ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>|
network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> 
<DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range 
<TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]
[deny|permit] Creates a deny or permit MAC ACL rule and configures the rule parameters

Every EX3500 MAC ACL rule provides a set of match criteria against which incoming and outgoing packets (to and from an EX3500 device) are matched. In case of a match, the packet is dropped or forwarded depending on the rule type. The packet is dropped in case of a deny rule, and forwarded for an permit rule.

[all|tagged-eth2| untagged-eth2] Specifies the packet type
  • all – Applies this deny/permit rule to all packets
  • tagged-eth2 – Applies this deny/permit rule only to tagged Ethernet-2 packets
  • untagged-eth2 – Applies this deny/permit rule only to untagged Ethernet-2 packets

After specifying the packet type, configure the source and/or EX3500 MAC addresses to match.

[any| host <SOURCE-MAC>| network <SOURCE-MAC> <SOURCE-MAC-MASK>] Enter the Source MAC addresses
  • any – Identifies all EX3500 devices as a source to match
  • host <SOURCE-MAC> – Identifies a specific EX3500 host as the source to match
    • <SOURCE-MAC> – Specify the source host‘s exact MAC address
  • network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the source to match. Packets received from any of these MAC addresses are dropped.
    • <SOURCE-MAC> – Specify the source MAC address to match.
      • <SOURCE-MAC-MASK> – Specify the source MAC bit mask.

For a deny rule, packets received from EX3500 device(s) matching the specified MAC address(es) are dropped.

For a permit rule, packets received from EX3500 device(s) matching the specified MAC address(es) are forwarded.

[any|host <DEST-MAC>| network <DEST-MAC> <DEST-MAC-MASK>] Enter the Destination MAC addresses
  • any – Identifies all EX3500 devices as a destination to match
  • host <SOURCE-MAC> – Identifies a specific EX3500 host as the destination to match
    • <SOURCE-MAC> – Specify the destination host‘s exact MAC address
  • network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the destination to match. Packets addressed to any of these MAC addresses are dropped.
    • <SOURCE-MAC> – Specify the destination MAC address to match.
      • <SOURCE-MAC-MASK> – Specify the destination MAC bit mask.

For a deny rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are dropped.

For a permit rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are forwarded.

ether-type <0-65535> Configures the Ethertype protocol number. The ether type is a two-octet field within an Ethernet frame. It indicates the protocol encapsulated in the payload of an Ethernet frame.
  • <0-65535> – Specify the value from 0 - 65535. The default value is 1.
ethertype-mask <0-65535> Configures the Ethertype mask
  • <0-65535> – Specify the value from 0 - 65535. The default value is 1.
ex3500-time-range <TIME-RANGE-NAME> Applies a specified EX3500 time range (should be existing and configured). The deny or permit rule is applied during the time period specified in the EX3500 time range.
  • <TIME-RANGE-NAME> – Specify the time range name.

An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed).

Note: For information on configuring EX3500 time-range, see ex3500.
vlan <1-4094> Configures a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server)
  • <1-4094> – Specify the VLAN ID from 1 - 4094.
vlan-mask <1-4095> Configures the VLAN ID bit mask value
  • <1-4095> – Specify the VLAN bit mask from 1 - 4095.
rule-precedence <1-128> Configures a precedence for this EX3500 MAC ACL
  • <1 - 128> – Specify a value from 1 - 128. ACLs with lower precedence are applied first to packets.

Examples

nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan
20 rule-precedence 1
nx9500-6C8809(config-mac-acl-ex3500MacACL)#show context
mac access-list ex3500MacACL
 ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1
nx9500-6C8809(config-mac-acl-ex3500MacACL)#

Related Commands

no (mac-acl) Removes this EX3500 deny/permit rule from the MAC ACL