brocade-communications-sy rfs6000 Manuale Utente
490
Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide
53-1001931-01
MAC Extended ACL config commands
16
Parameters
Usage Guidelines
The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list
denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic
from a list of MAC addresses based on the source mask.
denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic
from a list of MAC addresses based on the source mask.
The MAC access list can disallow traffic based on the VLAN and ethertype.
The most common ethertypes are:
•
arp
•
wisp
•
ip
•
802.1q
NOTE
MAC ACL always takes precedence over IP based ACL’s.
MAC ACL always takes precedence over IP based ACL’s.
The last ACE in the access list is an implicit deny statement.
Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL.
It is allowed/denied based on the ACL configuration.
It is allowed/denied based on the ACL configuration.
Example - denying traffic from any MAC address
The MAC ACL (in the example below) denies traffic from any source MAC address to a particular
host MAC address:
host MAC address:
deny [<MAC/Mask>|any|host
<MAC>] [<MAC/Mask>|any|
<MAC>] [<MAC/Mask>|any|
host <MAC>] {[dot1p|
rule-precedence|type|vlan]}
Define a source and destination MAC address and Mask
specifying the bits to match. The source and destination
wildcards can be any one of the following:
specifying the bits to match. The source and destination
wildcards can be any one of the following:
•
[<MAC/Mask>|any|host <MAC>]– Source MAC
address and mask in the format
xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
address and mask in the format
xx:xx:xx:xx:xx:xx/xx:xx:xx:xx:xx:xx
•
any – Any source host
•
host – Exact source MAC address to match
dot1p <0-7>
Determine a 802.1p priority value to match. <priority> is
in the range 0 to 7.
in the range 0 to 7.
rule-precedence <1-5000>
Define an access-list entry precedence
type [8021q|<1-65535>|
arp|appletalk|ip|ipv6|vlan|ipx|arp|
wisp]
arp|appletalk|ip|ipv6|vlan|ipx|arp|
wisp]
Set an ethertype value represented as an integer. Use
keywords for well-known ethertypes (IP, IPv6, ARP etc.)
keywords for well-known ethertypes (IP, IPv6, ARP etc.)
•
8021q – VLAN Ether type (0*8100)
•
<1-65535> – Ether protocol number
•
aarp – AARP Ether Type ( 0*80F3)
•
appletalk – APPLETALK Ether Type (0*809B)
•
arp – ARP Ether Type (0*0806)
•
ip – IP Ether Type (0*0800)
•
ipv6 – IPv6 Ether Type (0*86DD)
•
ipx – IPX Ether Type (0*8137)
•
rarp – RARP Ether Type (0*8035)
•
wisp – WISP Ether Type (0*8783)
vlan<1-4095>
Set a VLAN tag ID to match