Three different management-access-filter policies can be configured: ip-filter, ipv6-filter, and mac-filter. Each policy is an ordered list of entries. For this reason, entries must be sequenced correctly from the most to the least explicit.
Management Access filter (MAF) packet match rules:
Each MAF policy is an ordered list of entries, therefore entries must be sequenced correctly from the most to the least explicit.
If multiple match criteria are specified in a single MAF filter policy entry, all criteria must be met for the packet to be considered a match against that policy entry (logical AND).
Any match criteria not explicitly defined is ignored during a match.
A MAF filter policy entry with match criteria defined, but no action configured, inherits the default action.
The management-access-filter default-action applies individually per IPv4, IPv6, or MAC CPM filter policies that are in a no shutdown state.
When both mac-filter and ip-filter or ipv6-filter are applied to a specific packet, mac-filter is applied first.