beautypg.com

Service-acl – Allied Telesis AT-S94 CLI (AT-8000S Series) User Manual

Page 37

background image

ACL Commands

Page 36

Syntax

deny [disable-port] {any|{source source- wildcard} {any|{ destination destination- wildcard}} [vlan vlan-id] [cos
cos cos-wildcard] [ethtype eth-type]

Parameters

disable-port — Indicates the Ethernet interface is disabled if the condition is matched.

source — Specifies source MAC address of the packet.

source-wildcard — Specifies wildcard bits to be applied to the source MAC address. Use 1s in the bit position

to be ignored.

destination — Specifies the MAC address of the host to which the packet is being sent.

destination-wildcard — Specifies wildcard bits to be applied to the destination MAC address. Use 1s in the bit

position to be ignored.

vlan-id — Specifies the VLAN ID of the packet. (Range: 0 - 4095)

cos — Specifies the Class of Service of the packet. (Range: 0 - 7)

cos-wildcard — Specifies wildcard bits to be applied to the CoS.

eth-type — Specifies the Ethernet type in hexadecimal format of the packet. (Range: 0-05dd-fff)

Default Configuration

No MAC-Access List is defined.

Command Mode

MAC-Access List Configuration mode

User Guidelines

MAC BPDU packets cannot be denied.

This command defines an Access Control Element (ACE). An ACE can only be removed by deleting the ACL,

using the no mac access-list Global Configuration mode command. Alternatively, the Web-based interface
can be used to delete ACEs from an ACL.

The following user guidelines are relevant to GE devices only:

Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE is
added, an implied deny-any-any condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.

If the VLAN ID is specified, the policy map cannot be connected to the VLAN interface.

Example

The following example creates a MAC ACL with deny rules.

service-acl

The service-acl Interface Configuration mode command controls access to an interface. Use the no form of this
command to remove the access control.

console(config)# mac access-list macl1

console(config-mac-acl)# deny 6:6:6:6:6:6:0:0:0:0:0:0 any

See also other documents in the category Allied Telesis Computer hardware: