seq (mac access-list
rules)
Inserts filtering rules in Layer 2 (MAC)
access control lists to permit or deny traffic based on matching Layer 2 protocols
fields.
Syntax
seq
id
[
permit
|
deny
]
{vxlan
|
gre
|nvgre
|gtpu
|ipip
}{
src-mac
|
src-mask
|
dst-mac
|
dst-mask
}
{
vlan
|
etype
|pcp
|count
|log
}
Parameters
- seq
id
- Specifies the sequence ID for the rule. This
parameter is mandatory. Valid values range from 1 through 65535. If the
value is not specified, a non-assigned value starting from 10 with an
increment of 10 is assigned.
- permit
|deny
- Specifies the Forwarding Action for the
matching traffic.
- vxlan
|gre
|nvgre
|gtpu
|ipip
- Specifies the optional parameters provided
to support different tunnel types. For vxlan or
gtpu tunnel types, VNI or
TEID can be configured. The tunnel-id parameter can be
supplied for only vxlan, gtpu, gtpc protocols and there is no CLI token for
this parameter.
- Valid range for vxlan : 1-16777215
- Valid range for gtpu: 1-4294967295
- Valid range for gtpc: 1-429496729
- src-mac
- Specifies the source mac address. There is
no explicit keyword. MAC addresses are represented by colon-separated
one-byte hexa-decimal format. Zero padding must be used to make one-byte
data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be
supplied as 02:02:02:02:02:02.
- src-mask
- Specifies the mask for the configured
src-mac. To opt out of src-mask,
use any instead of src-mac.
There is no explicit keyword. MAC addresses are represented by
colon-separated one-byte hexa-decimal format. Zero padding must be used to
make one-byte data into 2-digit value. For example, mac address 2:2:2:2:2:2
should be supplied as 02:02:02:02:02:02.
- dst-mac
- Specifies the destination mac address. There
is no explicit keyword. MAC addresses are represented by colon-separated
one-byte hexa-decimal format. Zero padding must be used to make one-byte
data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be
supplied as 02:02:02:02:02:02.
- dst-mask
- Specifies the mask for the configured
dst-mac. To opt out dst-mac
and dst-mask, use any
instead of dst-mac. There is no explicit keyword. MAC addresses are
represented by colon-separated one-byte hexa-decimal format. Zero padding
must be used to make one-byte data into 2-digit value. For example, mac
address 2:2:2:2:2:2 should be supplied as 02:02:02:02:02:02.
- vlan-tag
- Specifies the value of VLAN tag. Valid
values range from 1 to 4095. This is an optional parameter.
- etype
- Specifies the value of ether type given in
hexa decimal format. Valid values range from 0x01 to 0xFFFF, excluding
0x8100. Alternatively, one the following protocol names, arp/ipv4/ipv6, can
be selected. This is an optional parameter.
- pcp
- Specifies the traffic class mapped to the outgoing PCP value when a packet
egresses the switch. Valid values range from 0 through 7.
- count
- Enables counter for the current rule.
- log
- Enables logging for the current rule.
Usage Guidelines
GRE tunnel-type:
- Version-1 packets are not
filtered with this setting.
- Version-0 packets are
filtered successfully with this setting.
GTPU tunnel type:
- Packets with outer IP and UDP
port settings (ACL configured with ip address and
sport/dport combination) are not forwarded to the egress.
This command configures rules to permit or drop traffic based on MAC address source and
destination.
The order of the rules in an ACL is critical. The first matching rule stops further
processing. When creating rules, specifying sequence values determines the order of
rule processing. If the sequence value is not specified, the rule is added to the
end of the list.
To delete a rule from an ACL:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax without
seq-value.
Table 1. Error messages
Message |
Reason |
Error: seqid 10 already exist mac1. |
Sequence ID is repeated within MAC ACL named mac1. |
Error: source mac address must be in colon-separated 1 byte hexa-decimal
format with zero padding if needed. Example-00:04:96:22:33:44
|
Zero padding must be added for src-mac, src-mask, dst-mac,
dst-mask. |
Error: valid range for VNID is 1-16777215. |
VNID is outside valid range for VxLAN protocol. |
Error: invalid Ethernet Type. Valid range 0x600-0xFFFF
|
Ethernet type is outside valid range format is incorrect. |
% Value '65536' not in range <1-65535>. |
Example: Sequencel-id range error. |
% Value '4096' not in range <0-4095>. |
Example: vlan range error. |
% Value '8' not in range <0-7>. |
Example: pcp range error. |
Examples
The following example configures MAC ACL l2.
device# configure terminal
device(config)# mac access-list L2
device(config-mac-acl)# seq 1 permit 01:23:45:67:89:ab FF:FF.FF:FF.FF:FF 01:23:41:67:89:ac FF:FF.FF:FF.FF:00
The following example verifies that the MAC ACL was configured.
device(config-mac-acl)# show running-config access-list
mac access-list L2
seq 10 permit 02:02:02:02:02:02 02:02:02:02:02:02 02:02:02:02:02:03 02:02:02:02:02:03