seq
(rules in MAC extended ACLs)
Inserts filtering rules in Layer 2 (MAC) extended access control lists (ACLs).
Syntax
[
seq
seq-value
]
permit
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan
{
any
|
vlanID
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[count
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
seq
seq-value
]
permit
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan-tag-format
{
untagged
vlan
vlan-id
|
single-tagged
vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
|
double-tagged
outer-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
inner-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[count
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
seq
seq-value
]
{
deny
|
hard-drop
}
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan
{
any
|
vlanID
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
[
seq
seq-value
]
{
deny
|
hard-drop
}
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan-tag-format
{
untagged
vlan
vlan-id
|
single-tagged
vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
|
double-tagged
outer-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
inner-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
no permit
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan
{
any
|
vlanID
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[count
]
[
log
]
[
mirror
]
[
copy-sflow
]
no permit
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan-tag-format
{
untagged
vlan
vlan-id
|
single-tagged
vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
|
double-tagged
outer-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
inner-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[count
]
[
log
]
[
mirror
]
[
copy-sflow
]
no
{
deny
|
hard-drop
}
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan
{
any
|
vlanID
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
no
{
deny
|
hard-drop
}
{
any
|
SMAC-address mask
|
host
SMAC-address
}
{
any
|
host
DMAC-address
|
DMAC-address mask
}
[
known-unicast-only
]
[
vlan-tag-format
{
untagged
vlan
vlan-id
|
single-tagged
vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
|
double-tagged
outer-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
inner-vlan
{
any
|
vlan-id
[
vlan-id-mask
]
}
]
[
custom-EtherType
|
arp
[
arp-guard
]
|
cfm
|
ipv4
|
ipv6
|
mpls
]
[
count
]
[
log
]
[
mirror
]
[
copy-sflow
]
Parameters
- seq
- (Optional) Enables you to
assign a sequence number to the rule. If you do not specify seq
seq-value, the
rule is added at the end of the list.
- seq-value
- Valid values
range from 1 through 65535.
- permit
- Specifies rules to permit
traffic.
- deny
- Specifies rules to deny
traffic.
-
hard-drop
- Specifies rules to deny
traffic.
- any
- Specifies any source MAC
addresses.
- SMAC-address
- Specifies a source MAC
address and a comparison mask.
- mask
- Specifies the
mask using Fs and zeros. For example, to match on the first two
bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the clause matches all MAC
addresses that contain "aabb" as the first two bytes and any
values in the remaining bytes.
- host
SMAC-address
- Specifies a source MAC
address. Use the format HHHH.HHHH.HHHH.
- any
- Specifies any destination MAC
addresses.
- DMAC-address
- Specifies a destination MAC
address and a comparison mask.
- mask
- Specifies the
mask using Fs and zeros. For example, to match on the first two
bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the clause matches all MAC
addresses that contain "aabb" as the first two bytes and any
values in the remaining bytes.
- host
DMAC-address
- Specifies a destination MAC
address. Use the format HHHH.HHHH.HHHH.
- known-unicast-only
- (XGS devices only) Specifies
known unicast traffic only.
- vlan
- Specifies VLANs to which the
ACL is bound.
- any
- Specifies any
VLAN.
- vlanID
- Specifies a VLAN.
-
vlan-tag-format
- Specifies untagged,
single-tagged, or double-tagged
VLAN traffic.
- untagged
- Specifies traffic with no
VLAN tag.
- vlan
- Specifies a VLAN
or any VLAN.
- any
- Specifies any VLAN.
- vlanID
- Specifies a VLAN or range of VLANs.
- single-tagged
- Specifies traffic with a
single VLAN, a range of VLANs, or any VLAN.
- vlan
- Specifies a VLAN
or any VLAN.
- any
- Specifies any VLAN.
- vlanID
[
vlan-id-mask
]
- Specifies a VLAN or range of VLANs. Optionally, you
can use a 12-bit hex value to specify a range of
VLANs. For example, 0x0FFF specifies all VLANs for
which the last 8 bits are 0.
- double-tagged
- (DNX devices only) Specifies
traffic with both an outer and an inner VLAN, a range of such VLANs, or any
such VLAN.
- outer-vlan
- Specifies an
outer VLAN, a range of outer VLANs, or any outer VLAN.
- any
- Specifies any outer VLAN.
- vlanID
[
vlan-id-mask
]
- Specifies a outer VLAN or range of VLANs.
Optionally, you can use a 12-bit hex value to
specify a range of VLANs. For example, 0x0FFF
specifies all VLANs for which the last 8 bits are 0.
- inner-vlan-id
- Specifies inner
VLANs.
- any
- Specifies any inner VLAN.
- vlanID
[
vlan-id-mask
]
- Specifies an inner VLAN or range of VLANs.
Optionally, you can use a 12-bit hex value to
specify a range of VLANs. For example, 0x0FFF
specifies all VLANs for which the last 8 bits are 0.
- custom-EtherType
- Specifies a custom EtherType
value for which to set the permit or deny conditions. Valid values range
from 1536 through 65535.
- arp
- Specifies to permit or deny
the ARP protocol (0x0806).
- arp-guard
- Enables ARP
Guard.
- cfm
- Specifies to permit or deny
the CFM protocol (0x8902).
- ipv4
- Specifies to permit or deny
the IPv4 protocol (0x0800).
- ipv6
- Specifies to permit or deny
the IPv6 protocol (0x86dd).
- mpls
- (DNX devices only) Specifies
to permit or deny the MPLS protocol (0x8847).
- drop-precedence-force
dp-value
- In permit rules
applied to incoming traffic, forces drop precedence to a value of 0 through
2. On DNX devices, the drop-precedence-force
keyword is supported only under the default,
vxlan-ext, and bgp-flowspec
TCAM profiles.
- count
- Enables statistics for the
rule.
- log
- Enables inbound logging for
the rule. In addition, the ACL log buffer must be enabled, using the
debug
access-list-log buffer command.
- mirror
- (Supported for rules in ACLs
applied on physical interfaces to inbound traffic) Mirrors packets matching
the rule.
- copy-sflow
- For incoming traffic, sends
matching packets to the sFlow collector.
Modes
ACL configuration mode
Usage Guidelines
This command configures rules to permit or drop traffic based on source and destination MAC addresses and protocol type. You can also enable counters, logging, mirroring , and sending packets to the sFlow collector per rule.
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
The behavior of the
hard-drop keyword varies with platform, as
follows:
- (XGS devices) Overrides the trap behavior
for control frames and data frames such as echo request (ping). However,
hard-drop does not override a permit for this address in a preceding
rule.
- (DNX devices) Equivalent to the deny
keyword.
Although in an extended-ACL rule you can include
log,
mirror, and
copy-sflow, only one of
the three is processed, as follows:
- In a permit rule, the order of
precedence is mirror > copy-sflow >
log.
- In a deny or hard-drop rule, the
order of precedence is log >
copy-sflow > mirror.
The following guidelines apply to rules that contain one of the
vlan-tag-format options:
- Supported only when an ACL containing such rules is applied to physical or port-channel interfaces for ingress traffic. Ignored for ACLs applied to egress traffic and for ACLs applied to VLANs.
- (DNX devices only) The double-tagged
option is supported only for VPLS VLANs. The untagged and
the single-tagged options are supported for all VLANs.
- An implicit LACP BPDU
permit rule precedes the implicit
deny rule. But to avoid port-channel interface flap for VPLS endpoints over dynamic LAGs, make sure that the LACP BPDUs do not match any of the configured
deny rules.
To enable ARP Guard on an interface, you create
and apply a MAC extended ACL with rules that contain the arp and arp-guard keywords. ARP
Guard is supported on devices based on the DNX chipset family. For a list of such
devices, see "Supported Hardware".
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax without
seq-value.
Examples
The following example creates a rule in a MAC extended ACL to deny IPv4 traffic from the source MAC address 0022.3333.4444 to the destination MAC address 0022.3333.5555 and enable packet counting.
device# configure terminal
device(config)# mac access-list extended ACL1
device(conf-macl-ext)# seq 100 deny 0022.3333.4444 0022.3333.5555 ipv4 count
The following example creates rule in a MAC extended ACL to filter permit traffic by VLAN tag types and enable packet counting.
device# configure terminal
device(config)# mac access-list extended ACL1
device(conf-macl-ext)# permit host 0001.0001.0001 any vlan-tag-format untagged vlan 100 count
device(conf-macl-ext)# permit host 0002.0002.0002 any vlan-tag-format single-tagged vlan 200 count
device(conf-macl-ext)# permit host 0003.0003.0003 any vlan-tag-format double-tagged outer-vlan 300 inner-vlan-id 400 count
device(conf-macl-ext)# permit host 0001.0001.0004 any vlan-tag-format untagged vlan 100 0x0fff count
device(conf-macl-ext)# permit host 0003.0003.0005 any vlan-tag-format double-tagged outer-vlan 300 0xfff inner-vlan-id 400 0x0fff count
device(conf-macl-ext)# permit host 0003.0003.0006 any vlan-tag-format double-tagged outer-vlan any inner-vlan-id any count
The following example creates an MAC extended ACL with rules that enable ARP Guard and then applies it to the relevant interface.
device# configure terminal
device(config)# mac access-list extended arp_guard_enable_1
device(conf-macl-ext)# permit host 0014.2211.1111 any vlan 100 arp arp-guard
device(conf-macl-ext)# permit host 0014.2211.1112 any vlan 101 arp arp-guard
device(conf-macl-ext)# deny any any arp
device(conf-macl-ext)# permit any any
device(conf-macl-ext)# exit
device(conf)# interface ethernet 0/2
device(conf-if-eth-0/2)# switchport
device(conf-if-eth-0/2)# mac access-group arp_guard_enable_1 in
The following example deletes a rule from a MAC extended ACL.
device# configure terminal
device(config)# mac access-list extended ACL1
device(conf-macl-ext)# no seq 100
