- Preface
- New and Changed Information
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring PKI
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring NAC
- Configuring Cisco TrustSec
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Control Plane Policing
- Configuring Rate Limits
- Index
- Information About MAC ACLs
- Licensing Requirements for MAC ACLs
- Prerequisites for MAC ACLs
- Guidelines and Limitations for MAC ACLs
- Default Settings for MAC ACLs
- Configuring MAC ACLs
- Verifying the MAC ACL Configuration
- Monitoring and Clearing MAC ACL Statistics
- Configuration Example for MAC ACLs
- Additional References for MAC ACLs
- Feature History for MAC ACLs
Configuring MAC ACLs
This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.
This chapter contains the following sections:
- Information About MAC ACLs
- Licensing Requirements for MAC ACLs
- Prerequisites for MAC ACLs
- Guidelines and Limitations for MAC ACLs
- Default Settings for MAC ACLs
- Configuring MAC ACLs
- Verifying the MAC ACL Configuration
- Monitoring and Clearing MAC ACL Statistics
- Configuration Example for MAC ACLs
- Additional References for MAC ACLs
- Feature History for MAC ACLs
- MAC Packet Classification
- Creating a MAC ACL
- Changing a MAC ACL
- Changing Sequence Numbers in a MAC ACL
- Removing a MAC ACL
- Applying a MAC ACL as a Port ACL
- Applying a MAC ACL as a VACL
- Enabling or Disabling MAC Packet Classification
Information About MAC ACLs
MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.
MAC Packet Classification
MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
MAC Packet Classification State | Effect on Interface |
---|---|
Enabled |
|
Disabled |
|
Licensing Requirements for MAC ACLs
This table shows the licensing requirements for this feature.
Product |
License Requirement |
---|---|
Cisco NX-OS |
MAC ACLs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2. |
Prerequisites for MAC ACLs
There are no prerequisites for configuring MAC ACLs.
Guidelines and Limitations for MAC ACLs
MAC ACLs have the following configuration guidelines and limitations:
Default Settings for MAC ACLs
Parameters |
Default |
---|---|
MAC ACLs |
No MAC ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs |
Configuring MAC ACLs
- Creating a MAC ACL
- Changing a MAC ACL
- Changing Sequence Numbers in a MAC ACL
- Removing a MAC ACL
- Applying a MAC ACL as a Port ACL
- Applying a MAC ACL as a VACL
- Enabling or Disabling MAC Packet Classification
Creating a MAC ACL
You can create a MAC ACL and add rules to it.
3.
{permit | deny} source destination protocol
4.
(Optional) statistics per-entry
5.
(Optional) show mac access-lists name
6.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | mac access-list name Example: switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# |
Creates the MAC ACL and enters ACL configuration mode. |
Step 3 | {permit | deny} source destination protocol Example: switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any |
Creates a rule in the MAC ACL. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2. |
Step 4 | statistics per-entry Example: switch(config-mac-acl)# statistics per-entry |
(Optional) Specifies that the device maintains global statistics for packets that match the rules in the ACL. |
Step 5 | show mac access-lists name Example: switch(config-mac-acl)# show mac access-lists acl-mac-01 |
(Optional) Displays the MAC ACL configuration. |
Step 6 | copy running-config startup-config Example: switch(config-mac-acl)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Changing a MAC ACL
You can remove a MAC ACL from the device.
Use the show mac access-lists command with the summary keyword to find the interfaces that a MAC ACL is configured on.
3.
(Optional) [sequence-number] {permit | deny} source destination protocol
4.
(Optional) no {sequence-number | {permit | deny} source destination protocol}
5.
(Optional) [no] statistics per-entry
6.
(Optional) show mac access-lists name
7.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | mac access-list name Example: switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# |
Enters ACL configuration mode for the ACL that you specify by name. |
Step 3 | [sequence-number] {permit | deny} source destination protocol Example: switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any |
(Optional) Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2. |
Step 4 | no {sequence-number | {permit | deny} source destination protocol} Example: switch(config-mac-acl)# no 80 |
(Optional) Removes the rule that you specify from the MAC ACL. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2. |
Step 5 | [no] statistics per-entry Example: switch(config-mac-acl)# statistics per-entry |
(Optional) Specifies that the device maintains global statistics for packets that match the rules in the ACL. The no option stops the device from maintaining global statistics for the ACL. |
Step 6 | show mac access-lists name Example: switch(config-mac-acl)# show mac access-lists acl-mac-01 |
(Optional) Displays the MAC ACL configuration. |
Step 7 | copy running-config startup-config Example: switch(config-mac-acl)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Changing Sequence Numbers in a MAC ACL
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
2.
resequence mac access-list name starting-sequence-number increment
3.
(Optional) show mac access-lists name
4.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | resequence mac access-list name starting-sequence-number increment Example: switch(config)# resequence mac access-list acl-mac-01 100 10 |
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify. |
Step 3 | show mac access-lists name Example: switch(config)# show mac access-lists acl-mac-01 |
(Optional) Displays the MAC ACL configuration. |
Step 4 | copy running-config startup-config Example: switch(config)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Removing a MAC ACL
You can remove a MAC ACL from the device.
3.
(Optional) show mac access-lists name summary
4.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | no mac access-list name Example: switch(config)# no mac access-list acl-mac-01 switch(config)# |
Removes the MAC ACL that you specify by name from the running configuration. |
Step 3 | show mac access-lists name summary Example: switch(config)# show mac access-lists acl-mac-01 summary |
(Optional) Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces. |
Step 4 | copy running-config startup-config Example: switch(config)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Applying a MAC ACL as a Port ACL
You can apply a MAC ACL as a port ACL to any of the following interface types:
Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application.
2. Enter one of the following commands:
3.
mac port access-group access-list
4.
(Optional) show running-config aclmgr
5.
(Optional) copy running-config startup-config
DETAILED STEPS
Applying a MAC ACL as a VACL
You can apply a MAC ACL as a VACL.
Enabling or Disabling MAC Packet Classification
You can enable or disable MAC packet classification on a Layer 2 interface.
The interface must be configured as a Layer 2 interface.
Note |
If the interface is configured with the ip port access-group command or the ipv6 port traffic-filter command, you cannot enable MAC packet classification until you remove the ip port access-group and ipv6 port traffic-filter commands from the interface configuration. |
2. Enter one of the following commands:
4. (Optional) Enter one of the following commands:
5.
(Optional) copy running-config startup-config
DETAILED STEPS
Verifying the MAC ACL Configuration
To display MAC ACL configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2.
Command |
Purpose |
---|---|
show mac access-lists |
Displays the MAC ACL configuration. |
show running-config aclmgr |
Displays the ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to. |
show running-config interface |
Displays the configuration of the interface to which you applied the ACL. |
Monitoring and Clearing MAC ACL Statistics
Use the show mac access-lists command to monitor statistics about a MAC ACL, including the number of packets that have matched each rule.
To monitor or clear MAC ACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2.
Command |
Purpose |
---|---|
show mac access-lists |
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule. |
clear mac access-list counters |
Clears statistics for all MAC ACLs or for a specific MAC ACL. |
Configuration Example for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01 permit 00c0.4f00.0000 0000.00ff.ffff any interface ethernet 2/1 mac port access-group acl-mac-01
Additional References for MAC ACLs
Related Documents
Related Topic |
Document Title |
---|---|
MAC ACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2 |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for MAC ACLs
Feature Name |
Releases |
Feature Information |
---|---|---|
MAC ACLs |
4.2(1) |
Support was added for MAC packet classification. |