Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-configure-access-control-MAC-ACE

MAC access control entries

Access control entries (ACEs) are the rules that determine traffic classifications for access control lists (ACLs). You can define MAC address ACEs based on criteria, such as source and destination MAC addresses and masks, VLAN IDs, and quality of service (QoS).

MAC ACE

The MAC ACE tab shows details of the MAC ACEs configured on your switch.

To create a new MAC ACE, click Add, configure the ACE, and click Apply to save your settings.

You can configure the following settings:

  • ACL name: The ACL the ACE belongs to.
  • Sequence: The sequence number is the order in which the switch applies the ACE. Choose a value from 1 to 2147483647, with 1 being the first rule processed.
  • Action: The action taken by the switch if a packet matches the criteria. Select Permit to forward traffic that matches the ACE criteria or Deny to drop it.
  • VLAN ID: The VLAN ID to which the MAC address belongs. The range is from 1 to 4094. For any VLAN, leave the field empty.
  • Source MAC address: The MAC address from which the traffic originates.
  • Source MAC address mask: The wildcard mask for the source MAC address. You can use any combination of f and 0. f matches the specified bits exactly. 0 matches any bit. See Examples.
  • Destination MAC address: The MAC address to which the traffic is sent.
  • Destination MAC address mask: The wildcard mask for the destination MAC address. You can use any combination of f and 0. f matches the specified bits exactly. 0 matches any bit. See Examples.
  • 802.1p value: 802.1p is a QoS priority standard. Select a value from 0 to 7. 0 is the lowest priority. See Quality of service (QoS).
  • EtherType value: EtherType is a hexadecimal value that indicates the protocol used and is the basis of 802.1Q VLAN tagging. You can only use this option to filter Ethernet II formatted packets. See EtherTypes.

Examples

Here are some examples of how to use MAC address wildcard masks.

Exact match

A MAC address of a1:b2:c3:d4:e5:66 with a wildcard mask of ff:ff:ff:ff:ff:ff only matches a1:b2:c3:d4:e5:66.

Partial match

A MAC address of a1:b2:c3:d4:e5:66 with a wildcard mask of ff:ff:ff:00:00:00 matches any MAC address starting with a1:b2:c3, regardless of what bits the last three octets contain.