7 access-list(mac standard), Access, List – PLANET XGS3-24040 User Manual
Page 735: Mac standard
Commands for Security Function Chapter 2 Commands for 802.1x
41-7
matching, deny to access; permit if rules are matching, permit to access; any-source-mac: any source
MAC address; any-destination-mac: any destination MAC address; host_smac , smac: source MAC
address; smac-mask: mask (reverse mask) of source MAC address ; host_dmac , dmas destination
MAC address; dmac-mask mask (reverse mask) of destination MAC address; protocol No. of name or
IP protocol. It can be a key word: eigrp, gre, icmp, igmp, igrp, ip, ipinip, ospf, tcp, or udp, or an integer
from 0-255 of list No. of IP address. Use key word ‘ip’ to match all Internet protocols (including ICMP, TCP,
AND UDP) list; source-host-ip, source No. of source network or source host of packet delivery.
Numbers of 32-bit binary system with dotted decimal notation expression; host: means the address is the
IP address of source host, otherwise the IP address of network; source-wildcard: reverse of source IP.
Numbers of 32-bit binary system expressed by decimal’s numbers with four-point separated, reverse
mask; destination-host-ip, destination No. of destination network or host to which packets are delivered.
Numbers of 32-bit binary system with dotted decimal notation expression; host: means the address is
the that the destination host address, otherwise the network IP address; destination-wildcard: mask of
destination. I Numbers of 32-bit binary system expressed by decimal’s numbers with four-point
separated, reverse mask; s-port(optional): means the need to match TCP/UDP source port;
port1(optional): value of TCP/UDP source interface No., Interface No. is an integer from 0-65535;
d-port(optional): means need to match TCP/UDP destination interface; <sPortMin>, the down
boundary of source port; <sPortMax>, the up boundary of source port; port3(optional): value of
TCP/UDP destination interface No., Interface No. is an integer from 0-65535; <dPortMin>, the down
boundary of destination port;<dPortMax>, the up boundary of destination port; [ack] [fin] [psh] [rst] [urg]
[syn],(optional) only for TCP protocol, multi-choices of tag positions are available, and when TCP data
reports the configuration of corresponding position, then initialization of TCP data report is enabled to
form a match when in connection; precedence (optional) packets can be filtered by priority which is a
number from 0-7; tos (optional) packets can be filtered by service type which ia number from 0-15;
icmp-type (optional) ICMP packets can be filtered by packet type which is a number from 0-255;
icmp-code (optional) ICMP packets can be filtered by packet code which is a number from 0-255;
igmp-type (optional) ICMP packets can be filtered by IGMP packet name or packet type which is a
number from 0-255; <time-range-name>, name of time range
Command Mode: Global mode
Default Configuration: No access-list configured.
Usage Guide: When the user assign specific <num> for the first time, ACL of the serial number is
created, then the lists are added into this ACL; the access list which marked 3200-3299 can configure not
continual reverse mask of IP address.
Examples: Permit the passage of TCP packet with source MAC 00-12-34-45-XX-XX, any destination
MAC address, source IP address 100.1.1.0 0.255.255.255, and source port 100 and destination interface
40000.
Switch(config)#access-list 3199 permit 00-12-34-45-67-00 00-00-00-00-FF-FF
any-destination-mac tcp 100.1.1.0 0.255.255.255 s-port 100 any-destination d-port 40000
41.7 access-list(mac standard)
Command: access-list <num> {deny|permit} {any-source-mac | {host-source-mac <host_smac> }
| {<smac> <smac-mask>} }
no access-list <num>