Brocade Mobility RFS4000, RFS6000, and RFS7000 CLI Reference Guide
Brocade Mobility RFS4000, RFS6000, and RFS7000 CLI Reference Guide
R5.3.0.0
Part Number: 53-1002619-01
documentation@brocade.com


Access-list : deny

mac-access-list
Table 26 summarizes MAC Access list commands
Invokes service commands to troubleshoot or debug (config-if) instance configurations
deny
Specifies packets to reject
NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. The controller supports all EtherTypes. Use the decimal equivalent of the EtherType listed for any other EtherType.
Supported in the following platforms: 
Syntax:
deny [<SOURCE-MAC>|any|host
 
deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|mint|rarp|
wisp|ipx],vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
Parameters
deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|mint|rarp|
wisp|ipx],vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
type [8021q|<1-65535?|aarp|
appletalk |arp|ip|ipv6|mint|rarp|
wisp|ipx]
aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload
wisp – Indicates the Wireless Internet Service Provider (WISP) payload
rule-description
<RULE-DESCRIPTION>
Usage Guidelines:
The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of MAC addresses based on the source mask.
The MAC access list can disallow traffic based on the VLAN and EtherType.
NOTE: MAC ACLs always takes precedence over IP based ACLs.
The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed/denied based on the ACL’s configuration.
Example  
rfs7000-37FABE(config-mac-acl-test)#deny 41-85-45-89-66-77 44-22-55-88-77-99 any vlan 1 log rule-precedence 2 rule-description test
rfs7000-37FABE(config-mac-acl-test)#
 
The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host MAC address:
rfs7000-37FABE(config-mac-acl-test)#deny any host 00:01:ae:00:22:11
rfs7000-37FABE(config-mac-acl-test)#
 
The example below denies traffic between two hosts based on MAC addresses:
rfs7000-37FABE(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45
rfs7000-37FABE(config-mac-acl-test)#
Related commands:  
no
Negates a command or sets its default
Supported in the following platforms: 
Syntax:
no [deny|permit]
 
no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|mint|rarp|
wisp|ipx],vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
Parameters
no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|mint|rarp|
wisp|ipx],vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
type [8021q|<1-65535?|aarp|
appletalk |arp|ip|ipv6|mint|rarp|
wisp|ipx]
aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload
rule-description
<RULE-DESCRIPTION>
Example  
rfs7000-37FABE(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
deny any host 33-44-55-66-77-88 log rule-precedence 700
 
rfs7000-37FABE(config-mac-acl-test)#no deny any host 33-44-55-66-77-88 log rule-precedence 700
 
rfs7000-37FABE(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
Related commands:  
permit
Configures a permit MAC ACL
NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. The controller supports all EtherTypes. Use the decimal equivalent of the EtherType listed for any other EtherType.
Supported in the following platforms: 
Syntax:
permit [<SOURCE-MAC>|any|host
 
permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|<1-65535>|aarp|appletalk |arp|ip|ipv6|mint|rarp|
wisp|ipx],vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
Parameters
permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <MAC>]
[<DESTINATION-MAC> <DESTINATION-MAC-MASK>|any|host <MAC>]
(dot1p <PRIORITY>,type [8021q|aarp|appletalk |arp|ip|ipv6|mint|rarp|wisp|ipx],
vlan <VLAN>) [log mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|
mark [8021p <VLAN-PRIORITY>|dscp <DSCP>]|rule-precedence <1-5000>]
{rule-description <RULE-DESCRIPTION>}
type [8021q|<1-65535?|aarp|
appletalk |arp|ip|ipv6|mint|rarp|
wisp|ipx]
wisp – Indicates the WISP payload
ipx – Indicates the Novell’s IPX payload
rule-description
<RULE-DESCRIPTION>
Usage Guidelines:
The permit command in the MAC ACL disallows traffic based on layer 2 (data-link layer) information. A MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic from a list of MAC addresses (based on the source mask).
The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type. Common types include:
The controller (by default) does not allow layer 2 traffic to pass through the interface. To adopt an access point through an interface, configure an ACL to allow an Ethernet WISP.
Use the mark option to specify the type of service (tos) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame.
Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACL’s configuration.
NOTE: To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A MAC ACL always takes precedence over IP based ACLs.
Example  
rfs7000-37FABE(config-mac-acl-test)#show context
mac access-list test
 
rfs7000-37FABE(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
rfs7000-37FABE(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
 
rfs7000-37FABE(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
Related commands:  

Access-list : deny