Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring MAC ACLs
Downloads: This chapterpdf (PDF - 1.19MB) The complete bookPDF (PDF - 10.7MB) | The complete bookePub (ePub - 3.43MB) | Feedback

Configuring MAC ACLs

Configuring MAC ACLs

This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.

This chapter contains the following sections:

Information About MAC ACLs

MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.

MAC Packet Classification

MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.

MAC Packet Classification State Effect on Interface

Enabled

  • A MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic.
  • You cannot apply an IP port ACL on the interface.

Disabled

  • A MAC ACL that is on the interface applies only to non-IP traffic entering the interface.
  • You can apply an IP port ACL on the interface

Licensing Requirements for MAC ACLs

This table shows the licensing requirements for this feature.

Product

License Requirement

Cisco NX-OS

MAC ACLs require no license. However to support up to 128K ACL entries using an XL line card, you must install the scalable services license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for MAC ACLs

There are no prerequisites for configuring MAC ACLs.

Guidelines and Limitations for MAC ACLs

MAC ACLs have the following configuration guidelines and limitations:

  • MAC ACLs apply to ingress traffic only.
  • ACL statistics are not supported if the DHCP snooping feature is enabled.
  • The maximum number of supported MAC ACL entries is 64K for devices without an XL line card and 128K for devices with an XL line card.
  • If you try to apply too many ACL entries to a non-XL line card, the configuration is rejected.
  • Each forwarding engine on an F1 Series module supports 1000 ingress ACL entries, with 984 entries available for user configuration. The total number of MAC ACL entries for the F1 Series modules is from 1000 to 16,000, depending on which forwarding engines the policies are applied.
  • F1 Series modules do not support ACL logging.
  • F1 Series modules do not support bank chaining.
  • For M1 Series modules, the mac packet-classify command enables a MAC ACL for port and VLAN policies.

Default Settings for MAC ACLs

This table lists the default settings for MAC ACL parameters.



Table 1 Default MAC ACLs Parameters

Parameters

Default

MAC ACLs

No MAC ACLs exist by default

ACL rules

Implicit rules apply to all ACLs

Configuring MAC ACLs

Creating a MAC ACL

You can create a MAC ACL and add rules to it.

SUMMARY STEPS

    1.    configure terminal

    2.    mac access-list name

    3.    {permit | deny} source destination protocol

    4.    (Optional) statistics per-entry

    5.    (Optional) show mac access-lists name

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    switch# configure terminal
    switch(config)#
     

    Enters global configuration mode.

     
    Step 2 mac access-list name


    Example:
    switch(config)# mac access-list acl-mac-01
    switch(config-mac-acl)#
     

    Creates the MAC ACL and enters ACL configuration mode.

     
    Step 3 {permit | deny} source destination protocol


    Example:
    switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any
     

    Creates a rule in the MAC ACL.

    The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

     
    Step 4 statistics per-entry


    Example:
    switch(config-mac-acl)# statistics per-entry
     
    (Optional)

    Specifies that the device maintains global statistics for packets that match the rules in the ACL.

     
    Step 5 show mac access-lists name


    Example:
    switch(config-mac-acl)# show mac access-lists acl-mac-01
     
    (Optional)

    Displays the MAC ACL configuration.

     
    Step 6 copy running-config startup-config


    Example:
    switch(config-mac-acl)# copy running-config startup-config
     
    (Optional)

    Copies the running configuration to the startup configuration.

     

    Changing a MAC ACL

    You can remove a MAC ACL from the device.

    Before You Begin

    Use the show mac access-lists command with the summary keyword to find the interfaces that a MAC ACL is configured on.

    SUMMARY STEPS

      1.    configure terminal

      2.    mac access-list name

      3.    (Optional) [sequence-number] {permit | deny} source destination protocol

      4.    (Optional) no {sequence-number | {permit | deny} source destination protocol}

      5.    (Optional) [no] statistics per-entry

      6.    (Optional) show mac access-lists name

      7.    (Optional) copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      switch# configure terminal
      switch(config)#
       

      Enters global configuration mode.

       
      Step 2 mac access-list name


      Example:
      switch(config)# mac access-list acl-mac-01
      switch(config-mac-acl)#
       

      Enters ACL configuration mode for the ACL that you specify by name.

       
      Step 3 [sequence-number] {permit | deny} source destination protocol


      Example:
      switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any
       
      (Optional)

      Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.

      The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

       
      Step 4 no {sequence-number | {permit | deny} source destination protocol}


      Example:
      switch(config-mac-acl)# no 80
       
      (Optional)

      Removes the rule that you specify from the MAC ACL.

      The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

       
      Step 5 [no] statistics per-entry


      Example:
      switch(config-mac-acl)# statistics per-entry
       
      (Optional)

      Specifies that the device maintains global statistics for packets that match the rules in the ACL.

      The no option stops the device from maintaining global statistics for the ACL.

       
      Step 6 show mac access-lists name


      Example:
      switch(config-mac-acl)# show mac access-lists acl-mac-01
       
      (Optional)

      Displays the MAC ACL configuration.

       
      Step 7 copy running-config startup-config


      Example:
      switch(config-mac-acl)# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       

      Changing Sequence Numbers in a MAC ACL

      You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

      SUMMARY STEPS

        1.    configure terminal

        2.    resequence mac access-list name starting-sequence-number increment

        3.    (Optional) show mac access-lists name

        4.    (Optional) copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        switch# configure terminal
        switch(config)#
         

        Enters global configuration mode.

         
        Step 2 resequence mac access-list name starting-sequence-number increment


        Example:
        switch(config)# resequence mac access-list acl-mac-01 100 10
         

        Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.

         
        Step 3 show mac access-lists name


        Example:
        switch(config)# show mac access-lists acl-mac-01
         
        (Optional)

        Displays the MAC ACL configuration.

         
        Step 4 copy running-config startup-config


        Example:
        switch(config)# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Removing a MAC ACL

        You can remove a MAC ACL from the device.

        SUMMARY STEPS

          1.    configure terminal

          2.    no mac access-list name

          3.    (Optional) show mac access-lists name summary

          4.    (Optional) copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          switch# configure terminal
          switch(config)#
           

          Enters global configuration mode.

           
          Step 2 no mac access-list name


          Example:
          switch(config)# no mac access-list acl-mac-01
          switch(config)#
           

          Removes the MAC ACL that you specify by name from the running configuration.

           
          Step 3 show mac access-lists name summary


          Example:
          switch(config)# show mac access-lists acl-mac-01 summary
           
          (Optional)

          Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces.

           
          Step 4 copy running-config startup-config


          Example:
          switch(config)# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          Applying a MAC ACL as a Port ACL

          You can apply a MAC ACL as a port ACL to any of the following interface types:

          • Layer 2 or Layer 3 Ethernet interfaces
          • Layer 2 or Layer 3 port-channel interfaces
          Before You Begin

          Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application.

          SUMMARY STEPS

            1.    configure terminal

            2.    Enter one of the following commands:

            • interface ethernet slot/port
            • interface port-channel channel-number

            3.    mac port access-group access-list

            4.    (Optional) show running-config aclmgr

            5.    (Optional) copy running-config startup-config


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            switch# configure terminal
            switch(config)#
             

            Enters global configuration mode.

             
            Step 2 Enter one of the following commands:
            • interface ethernet slot/port
            • interface port-channel channel-number


            Example:
            switch(config)# interface ethernet 2/1
            switch(config-if)#


            Example:
            switch(config)# interface port-channel 5
            switch(config-if)#
             
            • Enters interface configuration mode for a Layer 2 or Layer 3 interface.
            • Enters interface configuration mode for a Layer 2 or Layer 3 port-channel interface.
             
            Step 3 mac port access-group access-list


            Example:
            switch(config-if)# mac port access-group acl-01
             

            Applies a MAC ACL to the interface.

             
            Step 4 show running-config aclmgr


            Example:
            switch(config-if)# show running-config aclmgr
             
            (Optional)

            Displays ACL configuration.

             
            Step 5 copy running-config startup-config


            Example:
            switch(config-if)# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            Applying a MAC ACL as a VACL

            You can apply a MAC ACL as a VACL.

            Enabling or Disabling MAC Packet Classification

            You can enable or disable MAC packet classification on a Layer 2 interface.

            Before You Begin

            The interface must be configured as a Layer 2 interface.


            Note


            If the interface is configured with the ip port access-group command or the ipv6 port traffic-filter command, you cannot enable MAC packet classification until you remove the ip port access-group and ipv6 port traffic-filter commands from the interface configuration.


            SUMMARY STEPS

              1.    configure terminal

              2.    Enter one of the following commands:

              • interface ethernet slot/port
              • interface port-channel channel-number

              3.    [no] mac packet-classify

              4.    (Optional) Enter one of the following commands:

              • show running-config interface ethernet slot/port
              • show running-config interface port-channel channel-number

              5.    (Optional) copy running-config startup-config


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              switch# configure terminal
              switch(config)#
               

              Enters global configuration mode.

               
              Step 2 Enter one of the following commands:
              • interface ethernet slot/port
              • interface port-channel channel-number


              Example:
              switch(config)# interface ethernet 2/1
              switch(config-if)#


              Example:
              switch(config)# interface port-channel 5
              switch(config-if)#
               
              • Enters interface configuration mode for a Ethernet interface.
              • Enters interface configuration mode for a port-channel interface.
               
              Step 3 [no] mac packet-classify


              Example:
              switch(config-if)# mac packet-classify
               

              Enables MAC packet classification on the interface. The no option disables MAC packet classification on the interface.

               
              Step 4 Enter one of the following commands:
              • show running-config interface ethernet slot/port
              • show running-config interface port-channel channel-number


              Example:
              switch(config-if)# show running-config interface ethernet 2/1


              Example:
              switch(config-if)# show running-config interface port-channel 5
               
              (Optional)
              • Displays the running configuration of the Ethernet interface.
              • Displays the running configuration of the port-channel interface.
               
              Step 5 copy running-config startup-config


              Example:
              switch(config-if)# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               
              Related Concepts

              Verifying the MAC ACL Configuration

              To display MAC ACL configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

              Command

              Purpose

              show mac access-lists

              Displays the MAC ACL configuration.

              show running-config aclmgr [all]

              Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.

              Note   

              Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

              show startup-config aclmgr [all]

              Displays the ACL startup configuration.

              Note   

              Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

              Monitoring and Clearing MAC ACL Statistics

              Use the show mac access-lists command to monitor statistics about a MAC ACL, including the number of packets that have matched each rule.

              To monitor or clear MAC ACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

              Command

              Purpose

              show mac access-lists

              Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule.

              clear mac access-list counters

              Clears statistics for all MAC ACLs or for a specific MAC ACL.

              Configuration Example for MAC ACLs

              The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:

              mac access-list acl-mac-01
                permit 00c0.4f00.0000 0000.00ff.ffff any 
              interface ethernet 2/1
                mac port access-group acl-mac-01
              

              Additional References for MAC ACLs

              Related Documents

              Related Topic

              Document Title

              MAC ACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

              Cisco Nexus 7000 Series NX-OS Security Command Reference

              Standards

              Standards

              Title

              No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

              Feature History for MAC ACLs

              This table lists the release history for this feature.

              Table 2 Feature History for MAC ACLs

              Feature Name

              Releases

              Feature Information

              MAC ACLs

              5.2(1)

              Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.

              MAC ACLs

              5.0(2)

              Support was added for up to 128,000 ACL entries when using an XL line card, provided a scalable services license is installed.

              MAC ACLs

              4.2(1)

              Support was added for MAC packet classification.