Creating a standard mac acl and adding rules – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

• The default action of "deny any" is inserted at the end of a bounded L3 ACL. This default rule is not

exposed to the user.

• Applying a hard-drop ACL in place of a permit or deny ACL enables packets to be dropped and

overrides the control packet trap entries, but does not override the permit entry that occurs before the
rule in the ACL.

• You cannot delete an ACL if it is applied to an interface.
• ACLs in a route-map are not used by the Open Shortest Path First (OSPF) or Border Gateway

Protocol (BGP) protocols.

• Existing ACL rules cannot be updated with new optional elements, like count and log. You must

delete the rule and recreate it with the additional elements.

The Brocade VDX 6710, VDX 6720, and VDX 6730 do not support the following:

• Egress ACLs
• MAC masks (except FFFF.FFFF.FFFF)
• IP address mask of noncontiguous addresses with variable LSBs
• Operators except “eq” (equal) for TCP or UDP port ranges
• TCP flags PUSH and URG

For example, the wildcard mask 0.0.255.255 is supported, while 255.0.0.0, 0.255.0.255 is not. Only IP
addresses and MASKs which can be represented in CIDR format are supported.

Creating a standard MAC ACL and adding rules

The following items should be kept in mind when creating standard MAC ACLs and adding rules to
them.

• You can use the resequence command to change the sequence numbers assigned to the rules in a

MAC ACL. For detailed information, refer to

Reordering the sequence numbers in a MAC ACL

on

page 468.

• A MAC ACL does not take effect until it is applied to a Layer 2 interface. Refer to

Applying a MAC

ACL to a DCB interface

on page 466 and

Applying a MAC ACL to a VLAN interface

on page 467.

• Certain invalid characters(such as “[]\.@#+*()={}” etc.) were allowed in earlier versions (Network OS

2.x) as part of ACL names. The ability to use these characters in ACL names was discontinued in
Network OS 3.0.0. As part of the upgrade to Network OS 3.x releases, a script removes these invalid
characters, which can result in ACL names not being unique. An ID is appended at the end of each
ACL to make certain that each ACL name is unique.(-m for MAC ACL names, and -i
for IP ACL names). The update script ensures the same changes for the ACL names
everywhere (such as updating the ACL names on the interfaces where the ACL rules are applied) so
functionality is not affected.

• If an ACL is set up to deny a specific host or range (for example: "seq 2 deny host 10.9.106.120"),

the VDX still responds to the ping command unless the hard drop option is added (such as seq 20
hard-drop icmp any any).

To create a standard MAC ACL and add rules, perform the following steps from privileged EXEC mode.

1. Enter the configure terminal command to access global configuration mode.
2. Create a standard MAC ACL and enter ACL configuration mode.

In this example, the name of the standard MAC ACL is "test_01."

switch(config)# mac access-list standard test_01

switch(conf-macl-std)#

3. Enter the deny command to create a rule in the MAC ACL to drop traffic with the source MAC

address.

switch(conf-macl-std)# deny 0022.3333.4444 count

Creating a standard MAC ACL and adding rules

Network OS Administrator’s Guide

465

53-1003225-04