seq (mac access-list
rules)
Inserts filtering rules in L2 (MAC)
access control lists (ACL) to permit or deny traffic based on matching L2 protocols
fields.
Syntax
seq ID
[
permit
|
deny
]
{vxlan
|
gre
|nvgre
|gtpu
|ipip
}{
src-mac
|
src-mask
|
dst-mac
|
dst-mask
}
{
vlan
|
etype
|pcp
|count
|log
}
{
qos-forwarding-group
group-name
}
Parameters
- seq
ID
- Specifies the sequence ID for the rule. This
parameter is mandatory. Valid values range from 1 through 65535. If the
value is not specified, a non-assigned value starting from 10 with an
increment of 10 is assigned.
- permit
|deny
- Specifies the forwarding action for the
matching traffic.
- vxlan
|gre
|nvgre
|gtpu
|ipip
- Specifies the optional parameters provided
to support different tunnel types.
- For VXLAN or GTP-U tunnel types, VNI or TEID
or TEID can be configured.
- The tunnel ID parameter can be supplied for
only VXLAN, GTP-U, and GTP-C protocols, and there is no CLI token for this
parameter.
- Valid range for VXLAN
is 1 through 16777215
- Valid range for GTP-U
is 1 through 4294967295
- Valid range for GTP-C
is 1 through 429496729
- src-mac
- Specifies the source MAC address. There is
no explicit keyword. MAC addresses are represented by a colon-separated,
one-byte hexadecimal format. Zero padding must be used to make one-byte data
into 2-digit value. For example, supply the MAC address 2:2:2:2:2:2 as
02:02:02:02:02:02.
- src-mask
- Specifies the mask for the configured
src-mac. To opt out of src-mask,
use any instead of src-mac.
There is no explicit keyword. MAC addresses are represented by a
colon-separated, one-byte hexadecimal format. Zero padding must be used to
make one-byte data into 2-digit value. For example, supply the MAC address
2:2:2:2:2:2 as 02:02:02:02:02:02.
- dst-mac
- Specifies the destination MAC address. There
is no explicit keyword. MAC addresses are represented by a colon-separated,
one-byte hexadecimal format. Zero padding must be used to make one-byte data
into 2-digit value. For example, supply the MAC address 2:2:2:2:2:2 as
02:02:02:02:02:02.
- dst-mask
- Specifies the destination MAC mask.
- To opt out of using destination MAC address and destination mask, use
any instead.
- MAC addresses are represented by colon-separated, one-byte hexadecimal
format. Zero padding must be used to make one-byte data into 2-digit value.
For example, supply the MAC address 2:2:2:2:2:2 as 02:02:02:02:02:02.
- There is no explicit keyword.
- vlan-tag
- Specifies the value of VLAN tag. Valid
values range is from 1 to 4095. This is an optional parameter.
- etype
- Specifies the value of either type given in
hexadecimal format. Valid values range from 0x01 to 0xFFFF, (excluding 0x8100).
Alternatively, select one the following protocol names, ARP, IPv4, and IPv6.
This is an optional parameter.
- pcp
- Specifies the traffic class mapped to the
outgoing PCP value when a packet egresses the switch. Valid values range is
from 0 through 7.
- count
- Enables counter for the current rule.
- log
- Enables logging for the current rule.
- qos-forwarding-groupgroup-name
- Specifies the name for a Quality of Service
(QoS) forwarding group.
Usage Guidelines
GRE tunnel-type:
- Version-1 packets are not
filtered with this setting.
- Version-0 packets are
filtered successfully with this setting.
GTP-U tunnel type:
- Packets with outer IP and UDP
port settings (ACL configured with ip address and
sport/dport combination) are not forwarded to the
egress.
This command configures rules to permit or drop traffic based on MAC address source and
destination.
The order of the rules in an ACL is critical. The first matching rule stops further
processing. When creating rules, specifying sequence values determines the order of
rule processing. If the sequence value is not specified, the rule is added to the
end of the list.
To delete a rule from an ACL:
- If you know the rule number, enter
no seq seq-value.
- If you do not know the rule number, enter
no and then enter the full syntax without the
sequence value.
Duplicate ACL rules are not allowed.
Conflicting ACL rules, rules with same match condition and different forwarding
action are not allowed.
The no form of the command
removes the MAC ACL rule entry that matches the supplied sequence id within the
current MAC ACL context.
Examples
The following example configures MAC ACL l2.
device# configure terminal
device(config)# mac access-list L2
device(config-mac-acl)# seq 1 permit 01:23:45:67:89:ab FF:FF.FF:FF.FF:FF
01:23:41:67:89:ac FF:FF.FF:FF.FF:00
The following example verifies that the MAC ACL was configured.
device(config-mac-acl)# show running-config access-list
mac access-list L2
seq 10 permit 02:02:02:02:02:02 02:02:02:02:02:02
02:02:02:02:02:03 02:02:02:02:02:03
device# show running-config mac access-list all
mac access-list L2
seq 10 permit 02:02:02:02:02:02 02:02:02:02:02:02
02:02:02:02:02:03 02:02:02:02:02:03
