seq
(rules in MAC standard ACLs)
Inserts filtering rules in Layer 2 (MAC) standard ACLs. Standard ACLs permit or deny traffic according to source address only.
Syntax
seq
seq-value { deny
|
permit
|
hard-drop
}
{
any
|
SMAC_address mask
|
host
SMAC_address
}
[count
]
[
log
]
[
copy-sflow
]
{
deny
|
permit
|
hard-drop
}
{
any
|
SMAC_address mask
|
host
SMAC_address
}
[count
]
[
log
]
[
copy-sflow
]
no seq
{
deny
|
permit
|
hard-drop
}
{
any
|
SMAC_address mask
|
host
SMAC_address
}
[count
]
[
log
]
[
copy-sflow
]
Parameters
- seq
- (Optional) Enables you to assign a sequence number to the rule. If you do not specify
seq
seq-value, the rule is added at the end of the list.
- seq-value
- Valid values range from 1 through 65535.
-
permit
- Specifies rules to permit traffic.
-
deny
- Specifies rules to deny traffic.
-
hard-drop
- Specifies rules to deny traffic.
- any
- Specifies all source MAC addresses.
- SMAC_address
- Specifies a source MAC address and a comparison mask.
- mask
- Specify the mask using F's and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the clause matches all MAC addresses that contain "aabb" as the first two bytes and any values in the remaining bytes.
- host
- Specifies a source MAC address.
- SMAC_address
- Use the format HHHH.HHHH.HHHH.
- count
- Enables statistics for the rule.
- log
- Enables inbound logging for the rule. In addition, the ACL log buffer must be enabled, using the
debug access-list-log buffer command.
- copy-sflow
- For incoming traffic, sends matching packets
to the sFlow collector.
Modes
ACL configuration mode
Usage Guidelines
This command configures rules to permit or drop
traffic based on source MAC address.
The order of the rules in an ACL is critical, as the first matching rule stops further processing. When creating rules, specifying sequence values determines the order of rule processing. If you do not specify a sequence value, the rule is added to the end of the list.
The
hard-drop keyword is equivalent to the
deny keyword.
Although in a standard-ACL rule you can specify
both
log and
copy-sflow,
only one of the two is processed, as follows:
- In a permit rule, only copy-sflow is
processed.
- In a deny or hard-drop rule, only
log is
processed.
To delete a rule from an ACL, do the relevant of the following:
- If you know the rule number, enter
no seq
seq-value.
- If you do not know the rule number, type
no and then enter the full syntax, without
seq
seq-value.
Examples
The following command creates statistic-enabled rules in a MAC standard ACL.
device# configure terminal
device(config)# mac access-list standard ACL1
device(conf-macl-std)# seq 100 deny host 0022.3333.4444 count
device(conf-macl-std)# seq 110 permit host 0011.3333.5555 count
The following command deletes a rule in a MAC standard ACL, by specifying the
seq number.
device# configure terminal
device(config)# mac access-list standard ACL1
device(conf-macl-std)# no seq 100
