Advanced Layer 2 ACL rules and features

Many advanced ACL features are implemented per ACL rule, according to parameters that you specify.

Note

Some advanced features also require global configuration.

Table 1. Layer 2 ACL advanced keywords
Keyword	Description	L2 standard ACL	L2 extended ACL	Notes
copy-sflow	sFlow monitoring	P/D/H; I	P/D/H; I
count	Counter statistics	P/D/H; I/O	P/D/H; I/O
drop-precedence-force	Re-marking drop-precedence	NA	P; I	Supported only under default, vxlan-visibility, or border-routing TCAM profiles.
log	Logging	P/D/H; I	P/D/H; I
mirror	Mirroring	NA	P/D/H; I	Effective only in ACLs applied to physical interfaces.
pcp	802.1p filtering	NA	P/D/H; I/O
pcp-force	802.1p re-marking	NA	P; I
vlan-tag-format	Filtering by untagged, single-tagged, or double-tagged VLAN type	NA	P/D/H; I/O	The vlan-tag-format keyword is supported on the SLX-9540/9640 in the Layer2-Ratelimit profile only. Also, when multi-tagged packets are sent (packets with more than 2 tags) the rule written for vlan-tag-format double-tagged is matched; DNX BCM HW assumes the multi-tag packet to be double-tagged. The vlan-tag-format keyword is not supported on the SLX- 9150/9250.

Key:

P—Supported in a permit rule.
D—Supported in a deny rule.
H—Supported in a hard-drop rule. For Layer 2 ACLs on SLX 9540 and SLX 9640 devices, the hard-drop keyword functions exactly like the deny keyword. For other devices, hard-drop overrides the trap behavior for control frames.
I—Supported in an ACL applied to incoming traffic.
O—Supported in an ACL applied to outgoing traffic.
NA—Not available.

For details, refer to the following Extreme SLX-OS Command Reference topics:

seq (rules in MAC standard ACLs)
seq (rules in MAC extended ACLs)

Parsing priorities among keywords

There are parsing priorities among the copy-sflow, log, and mirror keywords, as follows:

Although in a standard-ACL rule you can include log and copy-sflow, only one of the two is processed, as follows:
- In a permit rule, the order of precedence is copy-sflow > log.
- In a deny or hard-drop rule, the order of precedence is log > copy-sflow.
Although in an extended-ACL rule you can include log, mirror, and copy-sflow, only one of the three is processed, as follows:
- In a permit rule, the order of precedence is mirror > copy-sflow > log.
- In a deny or hard-drop rule, the order of precedence is log > copy-sflow > mirror.

Consider the following extended Layer 2 ACL:

device(config)# mac access-list extended mac1
device(conf-macl-ext)# seq 10 permit host 0000.1324.3333 any count log mirror copy-sflow
device(conf-macl-ext)# seq 20 deny host 0000.1357.4444 any count log mirror copy-sflow

In the permit rule, only the mirror keyword is processed.
In the deny rule, only the log keyword is processed.