198 | Access Controlw w w . d e l l . c o m | s u p p o r t . d e l l . c o m Note that the order of the rules is important: when a packet matches multiple rules in an ACL, the first rulecreated in the ACL takes precedence. Also, once you define an ACL for a given port, all traffic notspecifically permitted by the ACL will be denied access.Loopback interface ACL: For IP ACLs, the priority given to an ACL assigned to the loopback interfaceaffects the number of and order in which rules are applied to ports, just as if the ACL and its priority settingwere assigned to each port. For details, see Protecting the Management Interface with a Loopback ACL onpage 201.SFTOS supports two types of filtering: extended MAC ACLs and IP ACLs. For both types, the generalprocess for using them is the same:1. Create the access list.2. Apply the access list either globally to all ports or to an individual interface.Common ACL CommandsMAC ACL CommandsMAC Access Control Lists (ACLs) ensure that only authorized users have access to specific resources andblock any unwarranted attempts to reach network resources.The following rules apply to MAC ACLs:• The maximum number of ACLs you can create is 100, regardless of type.• The system supports only Ethernet II frame types.• The maximum number of rules per MAC ACL is hardware-dependent.• On the S50 system, if you configure an IP ACL (see IP ACL Commands on page 200) on an interface,you cannot configure a MAC ACL on the same interface.To create a MAC ACL identified by name:— mac access-list extended nameForce10 (Config)#mac access-list extended ml-1Define rules for the selected MAC ACL, consisting of classification fields defined for the Layer 2 header of anEthernet frame:— {deny|permit}{srcmac | any} {dstmac | any} [assign-queue queue-id_0-6] [cos 0-7][ethertypekey] [0x0600-0xFFFF] [redirect unit/slot/port] [vlan {eq 0-4095]Figure 13-156. Creating a Rule for a MAC Access ListNote: For syntax details on ACL commands, see the Quality of Service chapter in the SFTOSCommand Reference.Force10 (Config)#mac access-list extended ml-1Force10 (Config-mac-access-list)#permit 01:80:c2:00:00:00 any assign-queue 4Force10 (Config-mac-access-list)#permit any 01:80:c2:00:00:FF assign-queue 3 redirect 1/0/10