Prerequisites for MAC Layer 2 Access Control Lists
- Knowledge of how service instances are configured.
- Knowledge of extended MAC ACLs and how they are configured.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ability to filter packets in a modular and scalable way is important for both network security and network management. Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. MAC ACLs are ACLs that filter traffic using information in the layer 2 header of each packet.
Layer 2 MAC ACLs allow the permission or denial of the packets based on the MAC source and destination addresses. This module describes how to implement MAC ACLs.
The following limitations and configuration guidelines apply when configuring MAC Layer 2 ACLs:
MAC ACL is only supported on the port level.
Classification based on QoS ACL is not supported for MAC ACL.
MAC ACLs apply to only ingress traffic.
MAC ACL is not supported on EVC.
MAC ACL is not supported on VLAN interface.
MAC ACL occupies the layer 2 ACL slice based on the availability of the Ingress Field Processor (IFP) slice.
MAC ACL is supported on 1G and 10G interfaces.
MAC ACL is supported on Gigabit Ethernet interface and its bundle derivatives.
MAC ACL is not supported on Multilink Point-to-Point (MLPPP) interface.
MAC ACL and IP ACLs are not supported together on an interface.
Named MAC ACLs are only supported.
MAC ACLs share many fundamental concepts including the configurations and limitations with IP ACLs.
A maximum of 128 entries can be configured per MAC ACL slice.
Perform this task to create a Layer 2 ACL with a single ACE.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
mac-access-list extended name Example:
|
Defines an extended MAC ACL and enters mac access list control configuration mode. |
Step 4 |
permit {{src-mac mask | any } {dest-mac mask | any }} Example:
|
Allows forwarding of layer 2 traffic if the conditions are matched. Creates an ACE for the ACL. |
Perform this task to configure the MAC layer 2 ACL on an interface.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
# mac-access-list extended name Example:
|
Defines an extended MAC ACL and enters mac access control list configuration mode. |
Step 4 |
permit {host src-mac | src-mac mask any } {host dest-mac | dest-mac mask any } Example:
|
Allows forwarding of Layer 2 traffic if the conditions are matched. This creates an ACE for the ACL. |
Step 5 |
deny any any Example:
|
Prevents forwarding of Layer 2 traffic except for the allowed ACEs. |
Step 6 |
exit Example:
|
Exits the current command mode and returns to global configuration mode. |
Step 7 |
interface type number Example:
|
Specifies the interface. |
Step 8 |
mac access-group access-list-name in Example:
|
Applies a MAC ACL to control incoming traffic on the interface. |
!
permit host 0001.0001.0001 host 0002.0002.0002 sequence 10
deny any any sequence 20
permit any any sequence 30
.
.
.
.
!
interface GigabitEthernet0/0
no ip address
negotiation auto
mac access-group scale in
end
#sh access-lists macacl
Extended MAC access list macacl
permit host 0001.0001.0001 host 0002.0002.0002 sequence 10
deny any any sequence 20
permit any any sequence 30
Use the following command to verify the configuration of MAC layer 2 ACL on an interface:
#sh run int g0/0
Building configuration...
Current configuration : 106 bytes
!
interface GigabitEthernet0/0
no ip address
negotiation auto
mac access-group scale in
end