mac access-group

OcNOS-SP : System Management Guide : System Management Command Reference : Access Control List Commands : mac access-group

mac access-group

Use this command to attach a MAC access list to an interface to filter incoming packets.

When you attach an access list to a VLAN interface or LAG interface as well as to a physical interface that is a member of that LAG and/or VLAN interface, the priority order is:

1. VLAN interface

2. LAG interface

3. Physical interface

For example, if you attach access lists to both a LAG interface and a physical interface that is a member of that LAG, matching traffic rules are applied to the LAG interface, but not to the physical interface.

The time-range parameter is optional. If used, the access-group is tied to the timer specified.

After the access-group has been configured with the time-range, to detach the access-group from the time-range, use the no form of this command with a time-range parameter as shown in the syntax and examples below.

To delete the access-group, use the no form of this command without a time-range.

Note: To attach a MAC ACL in the ingress direction ingress-l2 or ingress-l2-ext TCAM group needs to be enabled and to attach a MAC ACL in the egress direction egress-l2 TCAM group needs to be enabled. See the hardware-profile filter command for details.

Note: An egress ACL is supported on physical and lag interfaces only. VLAN and inner-VLAN options in ACL rules will match incoming packet VLANs even when ACL attached at egress.

Command Syntax

mac access-group NAME (in|out) (in|out) (time-range TR_NAME|)

no mac access-group NAME (in|out) (time-range TR_NAME|)

Parameters

NAME

Access list name.

Filter incoming packets.

out

Filter outgoing packets.

TR_NAME

Time range name set with the time-range command.

Default

No default value is specified

Command Mode

Interface mode

Applicability

This command was introduced before OcNOS version 1.3. The time-range parameter was added in OcNOS version 5.0.

Examples

#configure terminal

(config)#mac access-list mylist

(config-mac-acl)#permit any any

(config-mac-acl)#exit

(config)#hardware-profile filter ingress-l2-ext enable

(config)#interface xe3

(config-if)#mac access-group mylist in

(config-if)#exit

(config)#interface xe3

(config-if)#mac access-group mylist in time-range TIMER1

(config-if)#exit

(config)#interface xe3

(config-if)#no mac access-group mylist in time-range TIMER1

(config-if)#exit

(config)#interface xe3

(config-if)#no mac access-group mylist in

(config-if)#exit

Last modified date: 10/19/2023