Cisco IOS Security Command Reference: Commands M to R, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- March 19, 2015
Chapter: mab through mime-type
mab through mime-type
mab
To enable MAC-based authentication on a port, use the mab command in interface configuration mode. To disable MAC-based authentication, use the no form of this command.
mab [eap]
no mab
Syntax Description
| eap |
(Optional) Configures the port to use Extensible Authentication Protocol (EAP). |
Command Default
MAC-based authentication is not enabled.
Command Modes
Interface configuration (config-if)
Command History
| Release |
Modification |
|---|---|
| 12.2(33)SXI |
This command was introduced. |
| 15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Use the mab command to enable MAC-based authentication on a port. To enable EAP on the port, use the mab eap command.
 Note |
If you are unsure whether MAB or MAB EAP is enabled or disabled on the switched port, use the default mabor default mab eap commands in interface configuration mode to configure MAB or MAB EAP to its default. |
Examples
The following example shows how to configure MAC-based authorization on a Gigabit Ethernet port:
Switch(config)# interface GigabitEthernet6/2 Enter configuration commands, one per line. End with CNTL/Z. Switch(config-if)# mab Switch(config-if)# end
Related Commands
| Command |
Description |
|---|---|
| show mab |
Displays information about MAB. |
mac access-group
To use a MAC access control list (ACL) to control the reception of incoming traffic on a Gigabit Ethernet interface, an 802.1Q VLAN subinterface, an 802.1Q-in-Q stacked VLAN subinterface, use the macaccess-groupcommand in interface or subinterface configuration mode. To remove a MAC ACL, use the no form of this command.
mac access-group access-list-number in
no mac access-group access-list-number in
Syntax Description
| access-list-number |
Number of a MAC ACL to apply to an interface or subinterface (as specified by a access-list(MAC) command). This is a decimal number from 700 to 799. |
| in |
Filters on inbound packets. |
Command Default
No access list is applied to the interface or subinterface.
Command Modes
Interface configuration (config-if) Subinterface configuration (config-subif)
Command History
| Release |
Modification |
|---|---|
| 12.0(32)S |
This command was introduced on the Cisco 12000 series Internet router. |
| 12.2(33)SXH |
This command was integrated into Cisco IOS Release 12.2(33)SXH. |
Usage Guidelines
MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.
On Catalyst 6500 series switches, this command is supported on Layer 2 ports only.
Note |
The macaccess-groupcommand is supported on a VLAN subinterface only if a VLAN is already configured on the subinterface. |
Examples
The following example applies MAC ACL 101 on incoming traffic received on Gigabit Ethernet interface 0:
Router> enable Router# configure terminal Router(config)# interface gigabitethernet 0 Router(config-if)# mac access-group 101 in
Related Commands
| Command |
Description |
|---|---|
| access-list (MAC) |
Defines a MAC ACL. |
| clear mac access-list counters |
Clears the counters of a MAC ACL. |
| ip access-group |
Configures an IP access list to be used for packets transmitted from the asynchronous host. |
| show access-group mode interface |
Displays the ACL configuration on a Layer 2 interface. |
| show mac access-list |
Displays the contents of one or all MAC ACLs. |
mac-address (RITE)
To specify the Ethernet address of the destination host, use the mac-address command in router IP traffic export (RITE) configuration mode. To change the MAC address of the destination host, use the no form of this command.
mac-address H.H.H
no mac-address H.H.H
Syntax Description
| H.H.H |
48-bit MAC address. |
Command Default
A destination host is not known.
Command Modes
RITE configuration
Command History
| Release |
Modification |
|---|---|
| 12.3(4)T |
This command was introduced. |
| 12.2(25)S |
This command was integrated into Cisco IOS Release 12.2(25)S. |
Usage Guidelines
The mac-address command, which is used to specify the destination host that is receiving the exported traffic, is part of suite of RITE configuration mode commands that are used to control various attributes for both incoming and outgoing IP traffic export.
The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.
Examples
The following example shows how to configure the profile “corp1,” which will send captured IP traffic to host “00a.8aab.90a0” at the interface “FastEthernet 0/1.” This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control lists (ACL) “ham_ACL.”
Router(config)# ip traffic-export profile corp1 Router(config-rite)# interface FastEthernet 0/1 Router(config-rite)# bidirectional Router(config-rite)# mac-address 00a.8aab.90a0 Router(config-rite)# outgoing sample one-in-every 50 Router(config-rite)# incoming access-list ham_acl Router(config-rite)# exit Router(config)# interface FastEthernet 0/0 Router(config-if)# ip traffic-export apply corp1
Related Commands
| Command |
Description |
|---|---|
| ip traffic-export profile |
Creates or edits an IP traffic export profile and enables the profile on an ingress interface. |
match class-map
To use a traffic class as a classification policy, use the match class-map command in class-map or policy inline configuration mode. To remove a specific traffic class as a match criterion, use the no form of this command.
match class-map class-map-nam e
no match class-map class-map-name
Syntax Description
| class-map-name |
Name of the traffic class to use as a match criterion. |
Command Default
No match criteria are specified.
Command Modes
Class-map configuration (config-cmap)
Command History
| Release |
Modification |
|---|---|
| 12.0(5)XE |
This command was introduced. |
| 12.1(1)E |
This command was integrated into Cisco IOS Release 12.1(1)E. |
| 12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
| 12.4(6)T |
This command was enhanced to support Zone-Based Policy Firewall. |
| 12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
| 12.2(31)SB |
This command was implemented on the Cisco 10000 series. |
| 12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
| Cisco IOS XE Release 3.2S |
This command was integrated into Cisco IOS XE Release 3.2S. |
Usage Guidelines
The only method of including both match-any and match-all characteristics in a single traffic class is to use the match class-map command. To combine match-any and match-all characteristics into a single class, do one of the following:
- Create a traffic class with the match-anyinstruction and use a class configured with the match-all instruction as a match criterion (using the match class-map command).
- Create a traffic class with the match-allinstruction and use a class configured with the match-any instruction as a match criterion (using the match class-map command).
You can also use the match class-map command to nest traffic classes within one another, saving users the overhead of re-creating a new traffic class when most of the information exists in a previously configured traffic class.
When packets are matched to a class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.
Examples
Examples
Non-Zone-Based Policy Firewall Examples
In the following example, the traffic class called class1 has the same characteristics as traffic class called class2, with the exception that traffic class class1 has added a destination address as a match criterion. Rather than configuring traffic class class1 line by line, you can enter the match class-map class2 command. This command allows all of the characteristics in the traffic class called class2 to be included in the traffic class called class1, and you can simply add the new destination address match criterion without reconfiguring the entire traffic class.
Router(config)# class-map match-any class2 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 3 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# class-map match-all class1 Router(config-cmap)# match class-map class2 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# exit
The following example shows how to combine the characteristics of two traffic classes, one with match-any and one with match-all characteristics, into one traffic class with the match class-map command. The result of traffic class called class4 requires a packet to match one of the following three match criteria to be considered a member of traffic class called class 4: IP protocol and QoS group 4, destination MAC address 1.1.1, or access group 2. Match criteria IP protocol and QoS group 4 are required in the definition of the traffic class named class3 and included as a possible match in the definition of the traffic class named class4 with the match class-map class3 command.
In this example, only the traffic class called class4 is used with the service policy called policy1.
Router(config)# class-map match-all class3 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 4 Router(config-cmap)# exit Router(config)# class-map match-any class4 Router(config-cmap)# match class-map class3 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# policy-map policy1 Router(config-pmap)# class class4 Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4 Router(config-pmap-c)# exit
Related Commands
| Command |
Description |
|---|---|
| class-map |
Creates a class map to be used for matching packets to a specified class. |
Feedback