Creating a standard mac acl and adding rules – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 465

• The default action of "deny any" is inserted at the end of a bounded L3 ACL. This default rule is not
exposed to the user.
• Applying a hard-drop ACL in place of a permit or deny ACL enables packets to be dropped and
overrides the control packet trap entries, but does not override the permit entry that occurs before the
rule in the ACL.
• You cannot delete an ACL if it is applied to an interface.
• ACLs in a route-map are not used by the Open Shortest Path First (OSPF) or Border Gateway
Protocol (BGP) protocols.
• Existing ACL rules cannot be updated with new optional elements, like count and log. You must
delete the rule and recreate it with the additional elements.
The Brocade VDX 6710, VDX 6720, and VDX 6730 do not support the following:
• Egress ACLs
• MAC masks (except FFFF.FFFF.FFFF)
• IP address mask of noncontiguous addresses with variable LSBs
• Operators except “eq” (equal) for TCP or UDP port ranges
• TCP flags PUSH and URG
For example, the wildcard mask 0.0.255.255 is supported, while 255.0.0.0, 0.255.0.255 is not. Only IP
addresses and MASKs which can be represented in CIDR format are supported.
Creating a standard MAC ACL and adding rules
The following items should be kept in mind when creating standard MAC ACLs and adding rules to
them.
• You can use the resequence command to change the sequence numbers assigned to the rules in a
MAC ACL. For detailed information, refer to
Reordering the sequence numbers in a MAC ACL
page 468.
• A MAC ACL does not take effect until it is applied to a Layer 2 interface. Refer to
on page 466 and
Applying a MAC ACL to a VLAN interface
on page 467.
• Certain invalid characters(such as “[]\.@#+*()={}” etc.) were allowed in earlier versions (Network OS
2.x) as part of ACL names. The ability to use these characters in ACL names was discontinued in
Network OS 3.0.0. As part of the upgrade to Network OS 3.x releases, a script removes these invalid
characters, which can result in ACL names not being unique. An ID is appended at the end of each
ACL to make certain that each ACL name is unique.(-m
everywhere (such as updating the ACL names on the interfaces where the ACL rules are applied) so
functionality is not affected.
• If an ACL is set up to deny a specific host or range (for example: "seq 2 deny host 10.9.106.120"),
the VDX still responds to the ping command unless the hard drop option is added (such as seq 20
hard-drop icmp any any).
To create a standard MAC ACL and add rules, perform the following steps from privileged EXEC mode.
1. Enter the configure terminal command to access global configuration mode.
2. Create a standard MAC ACL and enter ACL configuration mode.
In this example, the name of the standard MAC ACL is "test_01."
switch(config)# mac access-list standard test_01
switch(conf-macl-std)#
3. Enter the deny command to create a rule in the MAC ACL to drop traffic with the source MAC
address.
switch(conf-macl-std)# deny 0022.3333.4444 count
Creating a standard MAC ACL and adding rules
Network OS Administrator’s Guide
465
53-1003225-04