OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : MAC ACL Configuration
MAC ACL Configuration
 
#configure terminal
Enter configure mode.
(config)#mac access-list mac-acl-01
Create a MAC access list named mac-acl-01.
(config-mac-acl)#22 permit host 0000.0011.1212 host 0000.1100.2222 vlan 2
Create an access rule with sequence number 22 to permit packets from a host with a specific MAC towards a host with a specific MAC with VLAN 2.
(config-mac-acl)#exit
Exit access list mode.
(config)#commit
Commit the candidate configuration to the running configuration
(config)#bridge 1 protocol rstp vlan-bridge
Create a VLAN-aware RSTP bridge.
(config)#vlan 2 bridge 1 state enable
Create VLAN 2.
(config)#interface xe10
Enter interface mode.
(config-if)#switchport
Configure the interface as Layer 2.
(config-if)#bridge-group 1
Associate the interface with bridge group 1.
(config-if)#switchport mode trunk
Set the switching characteristics of this interface to trunk mode.
(config-if)#switchport trunk allowed vlan all
Enable all VLAN identifiers on this interface.
(config-if)#mac access-group mac-acl-01 in
Applies the MAC access list mac-acl-01 to ingress traffic.
(config-if)#commit
Commit the candidate configuration to the running configuration
(config-if)#end
Exit interface and configure mode.
Validation
Use the commands below to verify the match count. When inbound packets reach interface xe10 with the specific source and destination MAC with the VLAN as 2, then the count for access rule 22 increases equal to the number of packets sent.
#show mac access-lists
MAC access list mac-acl-01
22 permit mac host 0000.0011.1212 host 0000.1100.2222 vlan 2 [match=3000]
default deny-all
For all other packets, default rule is invoked and the match counts increases equal to the number of packets sent.
#show mac access-lists mac-acl-01
MAC access list mac-acl-01
22 permit mac host 0000.0011.1212 host 0000.1100.2222 vlan 2
default deny-all [match=2000]
Note: As per the present design, ARP/ND packets will be filtered based on the source MAC address only (host mac address).
Note: Use the command clear mac access-list counters to clear statistics of all MAC ACLs or clear mac access-list <mac access-list name> counters to clear statistics of a particular MAC ACL.
Last modified date: 10/19/2023