Reference Guide
258 | Access Control Lists (ACL)
www.dell.com | support.dell.com
Extended MAC ACL Commands
When an access-list is created without any rule and then applied to an interface, ACL behavior reflects
implicit permit.
c and s platforms support Ingress MAC ACLs only.
The following commands configure Extended MAC ACLs.
• deny
• mac access-list extended
• permit
• seq
deny
c e s
Configure a filter to drop packets that match the filter criteria.
Syntax
deny {any | host mac-address | mac-source-address mac-source-address-mask} {any | host
mac-address | mac-destination-address mac-destination-address-mask} [ethertype-operator]
[count [byte]] [log] [monitor]
To remove this filter, you have two choices:
• Use the no seq sequence-number command syntax if you know the filter’s sequence number
or
• Use the no deny {any | host mac-address | mac-source-address
mac-source-address-mask} {any | host mac-address | mac-destination-address
mac-destination-address-mask} command.
Parameters
Note: See also Commands Common to all ACL Types and Common MAC Access List
Commands.
any Enter the keyword any to drop all packets.
host mac-address Enter the keyword host followed by a MAC address to drop
packets with that host address.
mac-source-address
Enter the source MAC address in nn:nn:nn:nn:nn:nn format.
mac-source-address-mask
Specify which bits in the MAC address must match.
The MAC ACL supports an inverse mask, therefore, a mask of
ff:ff:ff:ff:ff:ff allows entries that do not match and a mask of
00:00:00:00:00:00 only allows entries that match exactly.
mac-destination-address
Enter the destination MAC address and mask in
nn:nn:nn:nn:nn:nn format.
mac-destination-address-mask
Specify which bits in the MAC address must match.
The MAC ACL supports an inverse mask, therefore, a mask of
ff:ff:ff:ff:ff:ff allows entries that do not match and a mask of
00:00:00:00:00:00 only allows entries that match exactly.