seq (mac access-list rules)

Inserts filtering rules in L2 (MAC) Access Control Lists (ACL) to permit or deny traffic based on matching L2 protocols fields.

Syntax

seq id [ permit | deny ] {vxlan | gre |nvgre |gtpu |ipip }{ src-mac | src-mask | dst-mac | dst-mask } { vlan | etype |pcp |count |log }
no seq id

Parameters

seq id
Specifies the sequence ID for the rule. This parameter is mandatory. Valid values range from 1 through 65535. If the value is not specified, a non-assigned value starting from 10 with an increment of 10 is assigned.
permit |deny
Specifies the Forwarding Action for the matching traffic.
vxlan |gre |nvgre |gtpu |ipip
Specifies the optional parameters provided to support different tunnel types. For vxlan or gtpu tunnel types, VNI or TEID can be configured. The tunnel-id parameter can be supplied for only vxlan, gtpu, gtpc protocols and there is no CLI token for this parameter.
  • Valid range for vxlan : 1-16777215
  • Valid range for gtpu: 1-4294967295
  • Valid range for gtpc: 1-429496729
src-mac
Specifies the source mac address. There is no explicit keyword. MAC addresses are represented by colon-separated one-byte hexa-decimal format. Zero padding must be used to make one-byte data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be supplied as 02:02:02:02:02:02.
src-mask
Specifies the mask for the configured src-mac. To opt out of src-mask, use any instead of src-mac. There is no explicit keyword. MAC addresses are represented by colon-separated one-byte hexa-decimal format. Zero padding must be used to make one-byte data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be supplied as 02:02:02:02:02:02.
dst-mac
Specifies the destination mac address. There is no explicit keyword. MAC addresses are represented by colon-separated one-byte hexa-decimal format. Zero padding must be used to make one-byte data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be supplied as 02:02:02:02:02:02.
dst-mask
Specifies the mask for the configured dst-mac. To opt out dst-mac and dst-mask, use any instead of dst-mac. There is no explicit keyword. MAC addresses are represented by colon-separated one-byte hexa-decimal format. Zero padding must be used to make one-byte data into 2-digit value. For example, mac address 2:2:2:2:2:2 should be supplied as 02:02:02:02:02:02.
vlan-tag
Specifies the value of VLAN tag. Valid values range from 1 to 4095. This is an optional parameter.
etype
Specifies the value of ether type given in hexa decimal format. Valid values range from 0x01 to 0xFFFF, excluding 0x8100. Alternatively, one the following protocol names, arp/ipv4/ipv6, can be selected. This is an optional parameter.
pcp
Specifies the traffic class mapped to the outgoing PCP value when a packet egresses the switch. Valid values range from 0 through 7.
count
Enables counter for the current rule.
log
Enables logging for the current rule.

Modes

IP ACL config mode

Usage Guidelines

GRE tunnel-type:
  • Version-1 packets are not filtered with this setting.
  • Version-0 packets are filtered successfully with this setting.
GTPU tunnel type:
  • Packets with outer IP and UDP port settings (ACL configured with ip address and sport/dport combination) are not forwarded to the egress.

This command configures rules to permit or drop traffic based on MAC address source and destination.

The order of the rules in an ACL is critical. The first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If the sequence value is not specified, the rule is added to the end of the list.

To delete a rule from an ACL:
  • If you know the rule number, enter no seq seq-value.
  • If you do not know the rule number, type no and then enter the full syntax without seq-value.

Duplicate ACL rules are not allowed.

Conflicting ACL rules, rules with same match condition and different forwarding action are not allowed.

The [no] form of the command removes the MAC ACL rule entry that matches the supplied sequence id within the current MAC ACL context.

Table 1. Error messages
Message Reason
Error: seqid 10 already exist mac1. Sequence ID is repeated within MAC ACL named mac1.
Error: source mac address must be in colon-separated 1 byte hexa-decimal format with zero padding if needed. Example-00:04:96:22:33:44 Zero padding must be added for src-mac, src-mask, dst-mac, dst-mask.
Error: valid range for VNID is 1-16777215. VNID is outside valid range for VxLAN protocol.
Error: invalid Ethernet Type. Valid range 0x600-0xFFFF Ethernet type is outside valid range format is incorrect.
% Value '65536' not in range <1-65535>. Example: Sequencel-id range error.
% Value '4096' not in range <0-4095>. Example: vlan range error.
% Value '8' not in range <0-7>. Example: pcp range error.

Examples

The following example configures MAC ACL l2.

device# configure terminal
device(config)# mac access-list L2
device(config-mac-acl)# seq 1 permit 01:23:45:67:89:ab FF:FF.FF:FF.FF:FF 01:23:41:67:89:ac FF:FF.FF:FF.FF:00

The following example verifies that the MAC ACL was configured.

device(config-mac-acl)# show running-config access-list 
mac access-list L2 
  seq 10 permit 02:02:02:02:02:02 02:02:02:02:02:02 02:02:02:02:02:03 02:02:02:02:02:03

device# show running-config mac access-list all 
mac access-list L2 
  seq 10 permit 02:02:02:02:02:02 02:02:02:02:02:02 02:02:02:02:02:03 02:02:02:02:02:03
Error messages:

Sequence id is repeated within mac access-list:

device(config-mac-acl)# seq 10 permit gtpu any any 
Error: seqid 10 already exist mac1.

Incorrect format for mac address/mask (for src/dest address/mask): 

device(config-mac-acl)# permit 2:2:3:4:5:6 FF:FF:FF:FF:FF:FF any 
Error: source mac address must be in colon-separated 1 byte hexa-decimal format with zero padding if needed. Example-00:04:96:22:33:44 

 device(config-mac-acl)# seq 130 permit gtpu any 03:03:03:03:03:03 f:f:f:f:f:f 
Error: destination mac mask must be in colon-separated 1 byte hexa-decimal format with zero padding if needed. Example-0F:0F:0F:FF:FF:FF 

 
device(config-mac-acl)# permit vxlan 16777216 any any 
Error: valid range for VNID is 1-16777215. 

device(config-mac-acl)# permit any any etype 0x1ffff 
Error: invalid Ethernet Type. Valid range 0x600-0xFFFF 

device(config-mac-acl)# seq 10 permit any any etype 0x8100 
Error: invalid Ethernet Type entered 

device(config-mac-acl)# permit any any etype vlan 
Error: invalid Ethernet Type entered 

device(config-mac-acl)# permit any any etype igmp 
Error: invalid Ethernet Type entered

Sequence id range:

device(config-mac-acl)# seq 65536 
% Value '65536' not in range <1-65535>. 

device(config-mac-acl)# 
NPB(config-mac-acl)# seq 0 
% Value '0' not in range <1-65535>.

Vlan id range:

device(config-mac-acl)# seq 20 permit gtpu 4294967295 any any vlan -1 
% Value '-1' not in range <0-4095>. 

device(config-mac-acl)# seq 20 permit gtpu 4294967295 any any vlan 4096 
% Value '4096' not in range <0-4095>.

PCP value range:

device(config-mac-acl)# seq 20 permit gtpu 4294967295 any any pcp 
  <0-7>  Pcp range <0-7> 

device(config-mac-acl)# seq 20 permit gtpu 4294967295 any any pcp 8 
% Value '8' not in range <0-7>. 

device(config-mac-acl)# seq 20 permit gtpu 4294967295 any any pcp -1 
% Value '-1' not in range <0-7>.

Duplicate rule:

device(config-mac-acl)# seq 1 permit any any 
device(config-mac-acl)# seq 2 permit any any 
Error: Sequence 2 is duplicate of Sequence 1.

Conflicting rule:

device(config-mac-acl)# seq 1 permit any any 
device(config-mac-acl)# seq 2 deny any any 
Error: Sequence 2 is conflicting with Sequence 1.
9037168-00 Rev AA