Your software release
might not support all the features documented in this module. For the latest
caveats and feature information, see the Bug Search Tool at
https://tools.cisco.com/bugsearch/ and the release notes
for your software release. To find information about the features documented in
this module, and to see a list of the releases in which each feature is
supported, see the “New and Changed Information” chapter or the Feature History
Information About MAC ACLs
MAC ACLs are ACLs that use information in the Layer 2 header of packets
to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs,
including support for virtualization.
This table shows the licensing requirements for this feature.
MAC ACLs require no license. However to support up to 128K ACL entries using an XL line card, you must install the scalable services license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the
Cisco NX-OS Licensing Guide.
Prerequisites for MAC ACLs
There are no prerequisites for configuring MAC ACLs.
Limitations for MAC ACLs
MAC ACLs have the
following configuration guidelines and limitations:
MAC ACLs apply to
ingress traffic only.
ACL statistics are
not supported if the DHCP snooping feature is enabled.
Default Settings for MAC ACLs
This table lists the default settings for MAC ACL parameters.
Copies the running configuration to the startup configuration.
Changing Sequence Numbers in a MAC ACL
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
2.resequence mac access-list name starting-sequence-numberincrement
(Optional) show mac access-listsname
(Optional) copy running-config startup-config
Command or Action
switch# configure terminal
Enters global configuration mode.
resequence mac access-list name starting-sequence-numberincrement
switch(config)# resequence mac access-list acl-mac-01 100 10
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.
You can enable or disable MAC packet classification on a Layer 2
Before You Begin
The interface must be configured as a Layer 2 interface.
If the interface is configured with the
ip port access-group command or the
ipv6 port traffic-filter command, you cannot
enable MAC packet classification until you remove the
ip port access-group and
ipv6 port traffic-filter commands from the
2.Enter one of the following commands:
(Optional) Enter one of the following commands:
running-config interface ethernet
To display MAC ACL configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
show mac access-lists
Displays the MAC ACL configuration.
show running-config aclmgr
Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.
Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
show startup-config aclmgr [all]
Displays the ACL startup configuration.
Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.
Monitoring and Clearing MAC ACL Statistics
Use the show mac access-lists command to monitor statistics about a MAC ACL, including the number of packets that have matched each rule.
To monitor or clear MAC ACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
show mac access-lists
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule.
clear mac access-list counters
Clears statistics for all MAC ACLs or for a specific MAC ACL.
Configuration Example for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any
interface ethernet 2/1
mac port access-group acl-mac-01
Additional References for MAC ACLs
MAC ACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples
Cisco Nexus 7000 Series NX-OS Security Command Reference
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
Feature History for MAC ACLs
This table lists the release history for this feature.
Table 2 Feature History for MAC ACLs
Updated for M2 Series modules.
Updated for F2 Series modules.
Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.
Support was added for up to 128,000 ACL entries when using an XL line card,
provided a scalable services license is installed.