M Commands
This chapter describes the Cisco NX-OS security commands that begin with M.
mac access-list
To create a Media Access Control (MAC) access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
Syntax Description
access-list-name |
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
Command Default
No MAC ACLs are defined by default.
Command Modes
Global configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
Usage Guidelines
Use MAC ACLs to filter non-IP traffic.
When you use the mac access-list command, the switch enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the switch creates it when you enter this command.
Use the mac access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
deny any any protocol
This implicit rule ensures that the switch denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Examples
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
switch(config)# mac access-list mac-acl-01
switch(config-acl)#
Related Commands
mac port access-group
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
Syntax Description
access-list-name |
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
Command Default
None
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
5.1(3)N1(1) |
Support for this command was added for virtual Ethernet interfaces. |
Usage Guidelines
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
•
Layer 2 interfaces
•Layer 2 EtherChannel interfaces
•Virtual Ethernet interfaces
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match command.
The switch applies MAC ACLs only to inbound traffic. When the switch applies a MAC ACL, the switch checks packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# mac port access-group mac-acl-01
switch(config-if)#
This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# no mac port access-group mac-acl-01
switch(config-if)#
This example shows how to apply a MAC ACL named mac-acl-03 to a specific virtual Ethernet interface:
switch# configure terminal
switch(config)# interface vethernet 1
switch(config-if)# mac port access-group mac-acl-03
switch(config-if)#
Related Commands
match
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match {ip | ipv6 | mac} address access-list-name
no match {ip | ipv6 | mac} address access-list-name
Syntax Description
Command Default
By default, the switch classifies traffic and applies IPv4 ACLs to IPv4 traffic and MAC ACLs to all other traffic.
Command Modes
VLAN access-map configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
Usage Guidelines
You can specify only one match command per access map.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
Feedback