Creating an extended mac acl and adding rules, Applying a mac acl to a dcb interface, Applying a mac – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

4. Enter the permit command to create a rule in the MAC ACL to permit traffic with the source MAC

address.

switch(conf-macl-std)# permit 0022.5555.3333 count

5. Use the seq command to create MAC ACL rules in a specific sequence.

switch(conf-macl-std)# seq 100 deny 0011.2222.3333 count

switch(conf-macl-std)# seq 1000 permit 0022.1111.2222 count

6. Return to privileged EXEC mode.

switch(conf-macl-std)# end

7. Enter the copy command to save the running-config file to the startup-config file.

switch# copy running-config startup-config

Creating an extended MAC ACL and adding rules

The following items should be kept in mind when creating extended MAC ACLs and adding rules to
them.

• You can use the resequence command to change the sequence numbers assigned to the rules in

a MAC ACL. For detailed information, refer to

Reordering the sequence numbers in a MAC ACL

on

page 468.

• The MAC ACL name length is limited to 64 characters. A MAC ACL does not take effect until it is

applied to a Layer 2 interface. Refer to

Applying a MAC ACL to a DCB interface

on page 466 and

Applying a MAC ACL to a VLAN interface

on page 467.

• Certain invalid characters(such as “[]\.@#+*()={}” etc.) were allowed in earlier versions (Network OS

2.x) as part of ACL names. The ability to use these characters in ACL names was discontinued in
Network OS 3.0.0. As part of the upgrade to Network OS 3.x releases, a script removes these
invalid characters, which can result in ACL names not being unique. An ID is appended at the end
of each ACL to make certain that each ACL name is unique.(-m <acl_num> for MAC ACL names
and -i <acl_num> for IP ACL names). The update script ensures the same changes for the ACL
names everywhere (such as updating the ACL names on the interfaces where the ACL rules are
applied) so functionality is not affected.

• If an ACL is set up to deny a specific host or range (for example: "seq 2 deny host 10.9.106.120"),

the VDX still responds to ping unless the hard drop option is added (such as seq 20 hard-drop
icmp any any).

To create an extended MAC ACL and add rules, run the following steps in privileged EXEC mode.

1. Enter the configure terminal command to access global configuration mode.
2. Create an extended MAC ACL and enter ACL configuration mode.

switch(config)# mac access-list extended test_02

3. Create a rule in the MAC ACL to permit traffic with the source MAC address and the destination

MAC address.

switch(conf-macl-ext)# permit 0022.3333.4444 0022.3333.5555

4. Use the seq command to insert the rule anywhere in the MAC ACL.

switch(conf-macl-ext)# seq 5 permit 0022.3333.4444 0022.3333.5555

5. Return to privileged EXEC mode.

switch(conf-macl-ext)# end

6. Enter the copy command to save the running-config file to the startup-config file.

switch# copy running-config startup-config

Applying a MAC ACL to a DCB interface

Ensure that the ACL you want to apply exists and is configured to filter traffic in the manner you need
for this DCB interface. An ACL does not take effect until it is expressly applied to an interface using the
access-group command. Frames can be filtered as they enter an interface (ingress direction).

Creating an extended MAC ACL and adding rules

466

Network OS Administrator’s Guide

53-1003225-04