Cisco IOS Security Command Reference: Commands M to R, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
mab through mime-type
Downloads: This chapterpdf (PDF - 353.0KB) The complete bookPDF (PDF - 1.05MB) | Feedback

mab through mime-type

mab through mime-type

mab

To enable MAC-based authentication on a port, use the mab command in interface configuration mode. To disable MAC-based authentication, use the no form of this command.

mab [eap]

no mab

Syntax Description

eap

(Optional) Configures the port to use Extensible Authentication Protocol (EAP).

Command Default

MAC-based authentication is not enabled.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(33)SXI

This command was introduced.

15.2(2)T

This command was integrated into Cisco IOS Release 15.2(2)T.

Usage Guidelines

Use the mab command to enable MAC-based authentication on a port. To enable EAP on the port, use the mab eap command.


Note


If you are unsure whether MAB or MAB EAP is enabled or disabled on the switched port, use the default mabor default mab eap commands in interface configuration mode to configure MAB or MAB EAP to its default.


Examples

The following example shows how to configure MAC-based authorization on a Gigabit Ethernet port:

Switch(config)# interface GigabitEthernet6/2 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config-if)# mab 
Switch(config-if)# end

Related Commands

Command

Description

show mab

Displays information about MAB.

mac access-group

To use a MAC access control list (ACL) to control the reception of incoming traffic on a Gigabit Ethernet interface, an 802.1Q VLAN subinterface, an 802.1Q-in-Q stacked VLAN subinterface, use the macaccess-groupcommand in interface or subinterface configuration mode. To remove a MAC ACL, use the no form of this command.

mac access-group access-list-number in

no mac access-group access-list-number in

Syntax Description

access-list-number

Number of a MAC ACL to apply to an interface or subinterface (as specified by a access-list(MAC) command). This is a decimal number from 700 to 799.

in

Filters on inbound packets.

Command Default

No access list is applied to the interface or subinterface.

Command Modes

Interface configuration (config-if) Subinterface configuration (config-subif)

Command History

Release

Modification

12.0(32)S

This command was introduced on the Cisco 12000 series Internet router.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.

If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.

On Catalyst 6500 series switches, this command is supported on Layer 2 ports only.


Note


The macaccess-groupcommand is supported on a VLAN subinterface only if a VLAN is already configured on the subinterface.


Examples

The following example applies MAC ACL 101 on incoming traffic received on Gigabit Ethernet interface 0:

Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet 0
Router(config-if)# mac access-group 101 in

Related Commands

Command

Description

access-list (MAC)

Defines a MAC ACL.

clear mac access-list counters

Clears the counters of a MAC ACL.

ip access-group

Configures an IP access list to be used for packets transmitted from the asynchronous host.

show access-group mode interface

Displays the ACL configuration on a Layer 2 interface.

show mac access-list

Displays the contents of one or all MAC ACLs.

mac-address (RITE)

To specify the Ethernet address of the destination host, use the mac-address command in router IP traffic export (RITE) configuration mode. To change the MAC address of the destination host, use the no form of this command.

mac-address H.H.H

no mac-address H.H.H

Syntax Description

H.H.H

48-bit MAC address.

Command Default

A destination host is not known.

Command Modes


RITE configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

The mac-address command, which is used to specify the destination host that is receiving the exported traffic, is part of suite of RITE configuration mode commands that are used to control various attributes for both incoming and outgoing IP traffic export.

The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.

Examples

The following example shows how to configure the profile “corp1,” which will send captured IP traffic to host “00a.8aab.90a0” at the interface “FastEthernet 0/1.” This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control lists (ACL) “ham_ACL.”

Router(config)# ip traffic-export profile corp1
Router(config-rite)# interface FastEthernet 0/1
Router(config-rite)# bidirectional
Router(config-rite)# mac-address 00a.8aab.90a0
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp1

Related Commands

Command

Description

ip traffic-export profile

Creates or edits an IP traffic export profile and enables the profile on an ingress interface.

match class-map

To use a traffic class as a classification policy, use the match class-map command in class-map or policy inline configuration mode. To remove a specific traffic class as a match criterion, use the no form of this command.

match class-map class-map-nam e

no match class-map class-map-name

Syntax Description

class-map-name

Name of the traffic class to use as a match criterion.

Command Default

No match criteria are specified.

Command Modes


Class-map configuration (config-cmap)

Command History

Release

Modification

12.0(5)XE

This command was introduced.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.4(6)T

This command was enhanced to support Zone-Based Policy Firewall.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB

This command was implemented on the Cisco 10000 series.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

Usage Guidelines

The only method of including both match-any and match-all characteristics in a single traffic class is to use the match class-map command. To combine match-any and match-all characteristics into a single class, do one of the following:

  • Create a traffic class with the match-anyinstruction and use a class configured with the match-all instruction as a match criterion (using the match class-map command).
  • Create a traffic class with the match-allinstruction and use a class configured with the match-any instruction as a match criterion (using the match class-map command).

You can also use the match class-map command to nest traffic classes within one another, saving users the overhead of re-creating a new traffic class when most of the information exists in a previously configured traffic class.

When packets are matched to a class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.

Examples

Examples

Non-Zone-Based Policy Firewall Examples

In the following example, the traffic class called class1 has the same characteristics as traffic class called class2, with the exception that traffic class class1 has added a destination address as a match criterion. Rather than configuring traffic class class1 line by line, you can enter the match class-map class2 command. This command allows all of the characteristics in the traffic class called class2 to be included in the traffic class called class1, and you can simply add the new destination address match criterion without reconfiguring the entire traffic class.

Router(config)# class-map match-any class2
Router(config-cmap)# match protocol ip
Router(config-cmap)# match qos-group 3
Router(config-cmap)# match access-group 2
Router(config-cmap)# exit
Router(config)# class-map match-all class1
Router(config-cmap)# match class-map class2
Router(config-cmap)# match destination-address mac 1.1.1
Router(config-cmap)# exit

The following example shows how to combine the characteristics of two traffic classes, one with match-any and one with match-all characteristics, into one traffic class with the match class-map command. The result of traffic class called class4 requires a packet to match one of the following three match criteria to be considered a member of traffic class called class 4: IP protocol and QoS group 4, destination MAC address 1.1.1, or access group 2. Match criteria IP protocol and QoS group 4 are required in the definition of the traffic class named class3 and included as a possible match in the definition of the traffic class named class4 with the match class-map class3 command.

In this example, only the traffic class called class4 is used with the service policy called policy1.

Router(config)# class-map match-all class3
Router(config-cmap)# match protocol ip
Router(config-cmap)# match qos-group 4
Router(config-cmap)# exit
Router(config)# class-map match-any class4
Router(config-cmap)# match class-map class3
Router(config-cmap)# match destination-address mac 1.1.1
Router(config-cmap)# match access-group 2
Router(config-cmap)# exit
Router(config)# policy-map policy1
Router(config-pmap)# class class4
Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4
Router(config-pmap-c)# exit

Related Commands

Command

Description

class-map

Creates a class map to be used for matching packets to a specified class.