This table shows the licensing requirements for this feature.
MAC ACLs require no license. However to support up to 128K ACL entries using an XL line card, you must install the scalable services license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Prerequisites for MAC ACLs
There are no prerequisites for configuring MAC ACLs.
Guidelines and Limitations for MAC ACLs
MAC ACLs have the following configuration guidelines and limitations:
MAC ACLs apply to ingress traffic only.
ACL statistics are not supported if the DHCP snooping feature is enabled.
The maximum number of supported MAC ACL entries is 64K for devices without an XL line card and 128K for devices with an XL line card.
If you try to apply too many ACL entries to a non-XL line card, the configuration is rejected.
Each forwarding engine on an F1 Series module supports 1000 ingress ACL entries, with 984 entries available for user configuration. The total number of MAC ACL entries for the F1 Series modules is from 1000 to 16,000, depending on which forwarding engines the policies are applied.
Each of the 16 forwarding engines in an F1 Series module supports up to 250 IPv6 addresses across multiple ACLs.
F1 Series modules do not support ACL logging.
F1 Series modules do not support bank chaining.
For M Series modules, the mac packet-classify command enables a MAC ACL for port and VLAN policies. For F2 Series modules, the mac packet-classify command enables a MAC ACL for port policies but an IPv4 or IPv6 ACL for VLAN policies.
Each of the 12 forwarding engines in an F2 Series module has 16,000 total TCAM entries, equally split across two banks. 168 default entries are reserved. Each forwarding engine also has 512 IPv6 compression TCAM entries.
Default Settings for MAC ACLs
This table lists the default settings for MAC ACL parameters.
Copies the running configuration to the startup configuration.
Changing Sequence Numbers in a MAC ACL
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
2.resequence mac access-list name starting-sequence-numberincrement
3. (Optional) show mac access-listsname
4. (Optional) copy running-config startup-config
Command or Action
switch# configure terminal
Enters global configuration mode.
resequence mac access-list name starting-sequence-numberincrement
switch(config)# resequence mac access-list acl-mac-01 100 10
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.
You can enable or disable MAC packet classification on a Layer 2 interface.
Before You Begin
The interface must be configured as a Layer 2 interface.
If the interface is configured with the ip port access-group command or the ipv6 port traffic-filter command, you cannot enable MAC packet classification until you remove the ip port access-group and ipv6 port traffic-filter commands from the interface configuration.
2.Enter one of the following commands:
3. [no] mac packet-classify
4. (Optional) Enter one of the following commands:
show running-config interface ethernet slot/port
show running-config interface port-channelchannel-number
To display MAC ACL configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
show mac access-lists
Displays the MAC ACL configuration.
show running-config aclmgr [all]
Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.
Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
show startup-config aclmgr [all]
Displays the ACL startup configuration.
Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.
Monitoring and Clearing MAC ACL Statistics
Use the show mac access-lists command to monitor statistics about a MAC ACL, including the number of packets that have matched each rule.
To monitor or clear MAC ACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
show mac access-lists
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule.
clear mac access-list counters
Clears statistics for all MAC ACLs or for a specific MAC ACL.
Configuration Example for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any
interface ethernet 2/1
mac port access-group acl-mac-01
Additional References for MAC ACLs
MAC ACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples
Cisco Nexus 7000 Series NX-OS Security Command Reference
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
Feature History for MAC ACLs
This table lists the release history for this feature.
Table 2 Feature History for MAC ACLs
Updated for M2 Series modules.
Updated for F2 Series modules.
Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.
Support was added for up to 128,000 ACL entries when using an XL line card, provided a scalable services license is installed.