Layer 2 Access List Commands

This section describes the commands used to configure Layer 2 access list.

For detailed information about concepts and configuration, see the Configure Layer 2 Access Control Lists chapter in the L2VPN and Ethernet Services Configuration Guide for Cisco 8000 Series Routers.

ethernet-services access-group

To control access to an interface, use the ethernet-service access-group command in interface configuration mode.

ethernet-services access-group access-list-name ingress

Syntax Description

access-list-name

Name of an Ethernet services access list as specified by the ethernet-service access-list command.

ingress

Filters on inbound packets.

Command Default

The interface does not have an Ethernet services access list applied to it.

Command Modes

Interface configuration

Command History

Release

Modification

Release 7.5.3

This command was introduced.

Usage Guidelines

The ethernet-services access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the access-list-name argument to specify a particular Ethernet services access list. Use the ingress keyword to filter on inbound packets.

If the list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to apply filters on inbound packets from an interface.


Router# configure
Router(config)# interface HundredGigE 0/0/0/24
Router(config-if)# l2transport
Router(config-if)# ethernet-services access-group es_acl_1 ingress
Router(config-if)# commit

ethernet-services access-list

To define an Ethernet services (Layer 2) access list by name, use the ethernet-services access-list command in global configuration mode.

ethernet-services access-list access-list-name

Syntax Description

access-list-name

Name of the Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

Command Default

No Ethernet services access list is defined.

Command Modes

Global configuration

Command History

Release

Modification

Release 7.5.3

This command was introduced.

Usage Guidelines

The ethernet-services access-list command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined.

Layer 2 access control lists are supported only for the field's L2 source and destination address, EtherType, Outer VLAN ID, Inner VLAN ID, Class of Service (COS), and VLAN DEI.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to configure ethernet-services access-list:


Router# configure
Router(config)# ethernet-services access-list es_acl_1
Router(config-es-acl)# 10 deny 00ff.eedd.0010 ff00.0000.00ff 0000.0100.0001 0000.0000.ffff
Router(config-es-acl)# 20 permit host 000a.000b.000c host 00aa.ab99.1122 cos 1 dei
Router(config-es-acl)# 30 deny host 000a.000b.000c host 00aa.dc11.ba99 cos 7 dei
Router(config-es-acl)# commit
Router(config)# interface HundredGigE 0/0/0/24
Router(config-if)# l2transport
Router(config-if)# ethernet-services access-group es_acl_1 ingress
Router(config-if)# commit

show access-lists ethernet-services

To display the contents of current Ethernet services access lists, use the show access-lists ethernet-services command in EXEC mode.

show access-lists ethernet-services access-list-name [ hardware ] ingress [ detail ] [ location { location | all }]

Syntax Description

access-list-name

Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

hardware

(Optional) Display Ethernet services access list entries in hardware including the match count for a specific ACL in a particular direction across the line card.

ingress

Filters on inbound packets.

detail

(Optional) Display TCAM entries.

location

(Optional) Display information for a specific node number.

location

Fully qualified location specification.

all

Displays packet filtering usage for all interface cards.

Command Default

The contents of all Ethernet services access lists are displayed.

Command Modes

EXEC mode

Command History

Release

Modification

Release 7.5.3

This command was introduced.

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows sample output for the show access-lists ethernet-services command:


Router# show access-lists ethernet-services es_acl_1 hardware ingress location 0/0/CPU0
Thu Nov  3 22:02:27.222 UTC
ethernet-services access-list es_acl_1
 10 deny any host fcd7.844c.7486 cos 3   (65334 matches)
 20 deny any host fcd7.844c.7486
 30 permit any any

Router# show access-lists ethernet-services es_acl_1 hardware ingress detail location 0/0/CPU0
Thu Nov  3 22:01:18.620 UTC
es_acl_1 Details:
Sequence Number: 10
Number of DPA Entries: 1
ACL ID: 1
ACE Action: DENY
ACE Logging: DISABLED
Hit Packet Count: 0
Source MAC: 0000:0000:0000
 Source MAC Mask: 0000:0000:0000
Destination MAC: FCD7:844C:7486
 Destination MAC Mask: FFFF:FFFF:FFFF
COS: 0x03 
        Entry Index: 0x0
        DPA Handle: 0x89BF60E8

es_acl_1 Details:
Sequence Number: 20
Number of DPA Entries: 1
ACL ID: 1
ACE Action: DENY
ACE Logging: DISABLED
Hit Packet Count: 0
Source MAC: 0000:0000:0000
 Source MAC Mask: 0000:0000:0000
Destination MAC: FCD7:844C:7486
 Destination MAC Mask: FFFF:FFFF:FFFF
        Entry Index: 0x0
        DPA Handle: 0x89BF62E8

es_acl_1 Details:
Sequence Number: 30
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
Source MAC: 0000:0000:0000
 Source MAC Mask: 0000:0000:0000
Destination MAC: 0000:0000:0000
 Destination MAC Mask: 0000:0000:0000
        Entry Index: 0x0
        DPA Handle: 0x89BF64E8

es_acl_1 Details:
Sequence Number: IMPLICIT DENY
Number of DPA Entries: 1
ACL ID: 1 
ACE Action: DENY
ACE Logging: DISABLED
Hit Packet Count: 0
Source MAC: 0000:0000:0000
 Source MAC Mask: 0000:0000:0000
Destination MAC: 0000:0000:0000
 Destination MAC Mask: 0000:0000:0000
        Entry Index: 0x0
        DPA Handle: 0x89BF66E8


show access-lists ethernet-services usage pfilter

To identify the modes and interfaces on which a particular access-list is applied, use the show access-lists ethernet-services usage pfilter command in EXEC mode. Information displayed includes the application of all or specific access-lists, the interfaces on which they have been applied and the direction in which they are applied.

show access-lists ethernet-services access-list-name usage pfilter location { location | all }

Syntax Description

access-list-name

Name of a specific Ethernet services access list. The name cannot contain a spaces or quotation marks, but can include numbers.

usage

Displays the usage of the Ethernet services access list on a given interface card

pfilter

Displays the packet filtering usage for the specified interface card.

location

Interface card on which the access list information is needed.

location

Fully qualified location specification.

all

Displays packet filtering usage for all interface cards.

Command Modes

EXEC mode

Command History

Release

Modification

Release 7.5.3

This command was introduced.

Usage Guidelines

None

Task ID

Task ID

Operations

acl

read, write

Examples

The following example shows how to display packet filter usage at a specific location:


Router# show access-lists ethernet-services es_acl_1 usage pfilter location 0/0/CPU0
Interface : HundredGigE 0/0/0/24 
    Input ACL : es_acl_1 
    Output ACL : N/A