This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.


MACIP ACLs and layer 3 ACLs (Standard ACLs) work similarly, but MACIP ACLs match traffic at layer 2 using MAC addresses.

Since MACIP ACLs work with layer 2 information, they can only effectively function on interfaces which support operating at layer 2, such as Ethernet. Additionally, MACIP ACLs can only match layer 2 interface packets from neighboring hosts on directly connected networks.


The MAC address of a remote host that reaches TNSR via routing though another gateway cannot be determined, thus cannot be matched by a MACIP ACL.

For example, traffic arriving at TNSR from the Internet via Ethernet will typically have a source MAC address of the default gateway or routing peer, and not the actual source of the traffic.

MACIP ACLs may only be applied in the input direction, and only match source addresses.

description <text>:

Text describing the purpose of this ACL.

action <name>:

Determines how the rule governs packets that match.


Drops a packet which matches this rule.


Passes a single packet matching the rule.

ip-version (ipv4|ipv6):

Controls whether IPv4 or IPv6 packets will be matched by the rule. This is required when an address is present for the rule, and governs validation of the address value when applicable.

address <ip-prefix>:

Match the source IPv4 or IPv6 address of a packet.

mac address <mac-address>:

Optionally specifies a MAC address to block, in six groups of two colon-separated hexadecimal values, such as 00:11:22:33:44:55. When unset, the default value is 00:00:00:00:00:00 and uses the same value for a mask, which will match any MAC address.

mac mask <mac-mask>:

Optionally specifies a mask which defines portions of a MAC address to match, similar to an IP Prefix value. Given in six groups of two colon-separated hexadecimal values, such as ff:ff:ff:00:00:00, which matches the first half of a given MAC address. A mask of ff:ff:ff:ff:ff:ff matches an entire MAC address exactly. A mask of 00:00:00:00:00:00 matches any MAC address, and is the default behavior when no mask is set.


tnsr(config)# macip blockamac
tnsr(config-macip)# rule 10
tnsr(config-macip-rule)# action deny
tnsr(config-macip-rule)# mac address 00:11:22:33:44:55
tnsr(config-macip-rule)# mac mask ff:ff:ff:ff:ff:ff
tnsr(config-macip-rule)# exit
tnsr(config-macip)# exit
tnsr(config)# int GigabitEthernet0/14/2
tnsr(config-interface)# access-list macip blockamac
tnsr(config-interface)# exit