{denypermit}

Implementation Notes

If the CPU MA table (This MAC address table is separate from the software MAC address table) is filled so that the ACL logic cannot create another MA table entry, all frames from that source address will be dropped.

If the ACL rules are changed or ACLs are unapplied to the port, all CPU MA table entries associated with that port will be flushed from the table. If ACLs are unapplied (and port security is not enabled on the port), the hardware is configured to no longer trap frames from that port to the CPU.

ACLs take precedence over port-based security configuration. See Implementation Notes on page 164 in the Security Commands chapter for details.

{denypermit}

Syntax

Parameters

This command creates a new rule for the selected MAC access list. Each rule is appended to the list of configured rules for the list. Note that an implicit “deny all” MAC rule always terminates the access list.

{denypermit} {srcmac srcmacmask any} {{dstmac dstmacmask any bpdu}

[ethertypekey 0x0600-0xFFFF] [vlan {eq 0-4095 range 0-4095 0-4095}] [cos 0-7][secondary-vlan{eq 0-4095 range 0-4095 0-4095}][secondary-cos0-7][assign-queuequeue-id_0-6] [redirect slot/port]

deny permit The rule may either deny or permit traffic according to the specified classification fields.

srcmac srcmacmask any} {dstmac dstmacmask

any bpdu

Note: In SFTOS 2.4.1, only the source MAC is supported.

The source (srcmac srcmacmask any) and destination (dstmac dstmacmask any bpdu) MAC value and mask pairs must be specified, each of which may be substituted using the keyword any to indicate a match on any value in that field. (See the Usage section, below.)

The bpdu keyword may be specified for the destination MAC value/mask pair indicating a well-known BPDU MAC value of 01-80-c2-xx-xx-xx (hex), where 'xx' indicates a don't care.

ethertypekey

(Optional) The Ethertype (ethertypekey) may be specified as either a

 

keyword or a four-digit hexadecimal value from 0x0600 to 0xFFFF. The

 

currently supported ethertypekey keyword values are: appletalk, arp,

 

ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios,

 

novell, pppoe, rarp. Each of these translates into its equivalent Ethertype

 

value(s). (See the Usage section, below.)

 

 

vlan {eq

(Optional) To specify a filter on a VLAN, enter vlan eq followed by the VLAN

0-4095 range

ID. Or, for a VLAN range, use vlan range, followed by the lowest VLAN ID

0-4095 0-4095}

and then the highest VLAN ID in the range.

 

 

cos 0-7

(Optional) Use the cos keyword to specify a filter based on the Class of

 

Service value (the only tag in a single tagged packet or the first or outer

 

802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7.

 

 

288

ACL Commands

Page 288
Image 288
Force10 Networks S2410s manual Denypermit, Any bpdu, Ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, Vlan eq, Cos