ACL Commands 81Default ConfigurationNo MAC ACL is defined.Command ModeMAC-Access List Configuration mode.User Guidelines• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACEis added, an implied deny-any-any condition exists at the end of the list and those packets that do notmatch the conditions defined in the permit statement are denied.• If the VLAN ID is specified, the policy map cannot be connected to the VLAN interface.ExampleThe following example shows how to create a MAC ACL with permit rules.deny (MAC)The deny MAC-Access List Configuration mode command denies traffic if the conditions defined in thedeny statement match.Syntax• deny [disable-port] {any | {source source-wildcard} {any | {destination destination- wildcard}}[vlanvlan-id] [cos cos cos-wildcard] [ethtype eth-type] [inner-vlan vlan-id]• disable-port — Indicates that the port is disabled if the condition is matched.• source — Specifies the MAC address of the host from which the packet was sent.• source-wildcard — Specifies wildcard bits to the source MAC address by placing 1s in bit positionsto be ignored.• any — Specify a MAC address and mask. For example, to set 00:00:00:00:10:XX use the Macaddress 00:00:00:00:10:00 and mask 00:00:00:00:00:FF.• destination — Specifies the MAC address of the host to which the packet is being sent.• destination-wildcard — Specifies wildcard bits to the destination MAC address by placing 1s in bitpositions to be ignored.• vlan-id — Specifies the vlan id of the packet. (Range: 1 - 4094)Console(config)# mac access-list macl-acl1Console(config-mac-al)# permit 6:6:6:6:6:6 0:0:0:0:0:0 any vlan 65400_CLI.book Page 81 Wednesday, December 17, 2008 4:33 PM