About MAC ACLs
MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.
This chapter contains the following sections:
MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.
MAC ACLs have the following configuration guidelines and limitations:
MAC ACLs apply to ingress traffic only.
If you try to apply too many ACL entries, the configuration might be rejected.
MAC packet classification is not supported.
This table lists the default settings for MAC ACL parameters.
Parameters |
Default |
---|---|
MAC ACLs |
No MAC ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs |
You can create a MAC ACL and add rules to it.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
mac access-list name Example:
|
Creates the MAC ACL and enters ACL configuration mode. |
Step 3 |
{permit | deny} source destination-protocol Example:
|
Creates a rule in the MAC ACL. The permit and deny commands support many ways of identifying traffic. |
Step 4 |
(Optional) statistics per-entry Example:
|
(Optional)
Specifies that the device maintains global statistics for packets that match the rules in the ACL. |
Step 5 |
(Optional) show mac access-lists name Example:
|
(Optional)
Displays the MAC ACL configuration. |
Step 6 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can remove a MAC ACL from the device.
Use the show mac access-lists command with the summary keyword to find the interfaces on which a MAC ACL is configured.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
mac access-list name Example:
|
Enters ACL configuration mode for the ACL that you specify by name. |
Step 3 |
(Optional) [sequence-number] {permit | deny} source destination-protocol Example:
|
(Optional)
Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The permit and deny commands support many ways of identifying traffic. |
Step 4 |
(Optional) no {sequence-number | {permit | deny} source destination-protocol} Example:
|
(Optional)
Removes the rule that you specify from the MAC ACL. The permit and deny commands support many ways of identifying traffic. |
Step 5 |
(Optional) [no] statistics per-entry Example:
|
(Optional)
Specifies that the device maintains global statistics for packets that match the rules in the ACL. The no option stops the device from maintaining global statistics for the ACL. |
Step 6 |
(Optional) show mac access-lists name Example:
|
(Optional)
Displays the MAC ACL configuration. |
Step 7 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
resequence mac access-list name starting-sequence-number increment Example:
|
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify. |
Step 3 |
(Optional) show mac access-lists name Example:
|
(Optional)
Displays the MAC ACL configuration. |
Step 4 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can remove a MAC ACL from the device.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
no mac access-list name Example:
|
Removes the MAC ACL that you specify by name from the running configuration. |
Step 3 |
(Optional) show mac access-lists name summary Example:
|
(Optional)
Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces. |
Step 4 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can apply a MAC ACL as a port ACL to any of the following interface types:
Layer 2 Ethernet interfaces
Layer 2 port-channel interfaces
Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
Enter one of the following commands:
Example:
Example:
|
|
Step 3 |
mac port access-group access-list Example:
|
Applies a MAC ACL to the interface. |
Step 4 |
(Optional) show running-config aclmgr Example:
|
(Optional)
Displays the ACL configuration. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can apply a MAC ACL as a VACL.
To display MAC ACL configuration information, perform one of the following tasks:
Command |
Purpose |
||
---|---|---|---|
show mac access-lists |
Displays the MAC ACL configuration. |
||
show running-config aclmgr [all] |
Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.
|
||
show startup-config aclmgr [all] |
Displays the ACL startup configuration.
|
To monitor or clear MAC ACL statistics, use one of the commands in this table.
Command |
Purpose |
---|---|
show mac access-lists |
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule. |
clear mac access-list counters |
Clears statistics for MAC ACLs. |
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any 0x0806
interface ethernet 2/1
mac port access-group acl-mac-01