Configuring MAC ACLs [Support] - Cisco Systems

[an error occurred while processing this directive]

Hierarchical Navigation

HOME
- SUPPORT
  - Configuring MAC ACLs

Downloads

Configuring MAC ACLs

Feedback

Contents
Configuring MAC ACLs
Prerequisites for MAC ACLs
Guidelines and Limitations for MAC ACLs
Default Settings for MAC ACLs
Configuring MAC ACLs
Creating a MAC ACL
Changing a MAC ACL
Removing a MAC ACL
Changing Sequence Numbers in a MAC ACL
Applying a MAC ACL as a Port ACL
Adding a MAC ACL to a Port Profile
Verifying MAC ACL Configurations
Monitoring MAC ACLs
Configuration Examples for MAC ACLs
Configuration Example for Creating a MAC ACL for any Protocol
Feature History for MAC ACLs
Configuring MAC ACLs

This chapter contains the following sections:

Prerequisites for MAC ACLs
Guidelines and Limitations for MAC ACLs
Default Settings for MAC ACLs
Configuring MAC ACLs
Verifying MAC ACL Configurations
Monitoring MAC ACLs
Configuration Examples for MAC ACLs
Feature History for MAC ACLs

Prerequisites for MAC ACLs

You must be familiar with MAC addressing and non-IP protocols to configure MAC ACLs.

You must be familiar with the ACL concepts presented in this document.

Guidelines and Limitations for MAC ACLs

ACLs are not supported in port channels.

Default Settings for MAC ACLs

Parameters

Default

MAC ACLs

No MAC ACLs exist by default.

ACL rules

Implicit rules apply to all ACLs.

Configuring MAC ACLs
Creating a MAC ACL
Use this procedure to create a MAC ACL and add rules to it. You can also use this procedure to add the ACL to a port profile.

Before You Begin
Before beginning this procedure, you must be sure you have done the following:

Logged in to the CLI in EXEC mode.

Have a name to assign to the ACL you are creating.

Created a port profile if you want to add the ACL to it.

If you want to also add the ACL to a port-profile, you must know the following:

If you are using an existing port profile, you have already created it and you know its name.

The interface type (Ethernet or vEthernet) and the name you want to give the port profile if you are creating a new port profile.

The direction of packet flow for the access list.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# mac access-list name
Creates the MAC ACL and enters ACL configuration mode.

Step 3 switch(config-mac-acl)# {permit | deny} source destination protocol
Creates a rule in the MAC ACL.

The permit and deny keywords support many ways of identifying traffic. See the Cisco Nexus 1000V Command Reference for more information.

Step 4 switch(config-mac-acl)# statistics per-entry (Optional)
Specifies that the device maintains global statistics for packets that match the rules in the ACL.

Step 5 switch(config-mac-acl)# show mac access-lists name (Optional)
Displays the MAC ACL configuration for verification.

Step 6 switch(config-mac-acl)# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# mac access-list acl-mac-01 
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any 
switch(config-mac-acl)# statistics per-entry 
switch(config-mac-acl)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
    statistics per-entry
    10 permit 00c0.4f00.0000 0000.00ff.ffff any 
switch# copy running-config startup-config
Changing a MAC ACL
Use this procedure to change an existing MAC ACL, for example, to add or remove rules.

Use the resequence command to reassign sequence numbers, such as when adding rules between existing sequence numbers.

Before You Begin
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

In an existing MAC ACL, you cannot change existing rules.

In an existing MAC ACL, you can add and remove rules.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# mac access-list name
Creates the MAC ACL and enters ACL configuration mode.

Step 3 switch(config-mac-acl)# [sequence-number] {permit | deny} source destination protocol (Optional)
Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.

The permit and deny keywords support many ways of identifying traffic. See the Cisco Nexus 1000V for Hyper-V Command Reference for more information.

Step 4 switch(config-mac-acl)# no {sequence-number | {permit | deny} source destination protocol} (Optional)
Removes the rule that you specify from the MAC ACL.

The permit and deny keywords support many ways of identifying traffic. See the Cisco Nexus 1000V Command Reference for more information.

Step 5 switch(config-mac-acl)# [no] statistics per-entry
Specifies that the device maintains global statistics for packets that match the rules in the ACL.

The no option stops the device from maintaining global statistics for the ACL.

Step 6 switch(config-mac-acl)# show mac access-lists name (Optional)
Displays the MAC ACL configuration for verification.

Step 7 switch(config-mac-acl)# copy running-config startup-config
Copies the running configuration to the startup configuration.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# show mac access-lists

MAC ACL acl-mac-01
        statistics per-entry 
        10 permit 00c0.4f00.0000 0000.00ff.ffff any 
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# permit f866.f222.e5a6 ffff.ffff.ffff any
switch(config-mac-acl)# no 10
switch(config-mac-acl)# no statistics per-entry
switch(config-mac-acl)# end
switch# show mac access-lists

MAC ACL acl-mac-01
        20 permit f866.f222.e5a6 ffff.ffff.ffff any 
switch# copy running-config startup-config
Removing a MAC ACL
You can remove a MAC ACL from the switch. Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are current applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

To find the interfaces that a MAC ACL is configured on, use the show mac access-lists command with the summary keyword.

Before You Begin
Before beginning this procedure, be sure of the following:

You are logged in to the CLI in EXEC mode.

You know whether the ACL is applied to an interface.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# no mac access-list name
Removes the specified MAC ACL from the running configuration.

Step 3 switch(config)# show mac access-lists name summary (Optional)
Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces.

Step 4 switch(config)# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
switch# configure terminal
switch(config)# no mac access-list acl-mac-01
switch(config)# show mac access-lists acl-mac-01 summary
MAC ACL acl-mac-01
switch(config)# copy running-config startup-config
Changing Sequence Numbers in a MAC ACL
Use this procedure to change sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

Before You Begin
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# resequence mac access-list name starting-sequence-number increment
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.

Step 3 switch(config-mac-acl)# show mac access-lists name (Optional)
Displays the MAC ACL configuration for verification.

Step 4 switch(config)# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
    10 permit 00c0.4f00.0000 0000.00ff.ffff any
    20 permit f866.f222.e5a6 ffff.ffff.ffff any
switch(config)# resequence mac access-list acl-mac-01 100 10
switch(config)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
    100 permit 00c0.4f00.0000 0000.00ff.ffff any
    110 permit f866.f222.e5a6 ffff.ffff.ffff any
switch(config)# copy running-config startup-config
Applying a MAC ACL as a Port ACL
You can apply a MAC ACL as a port ACL to any of the following interface types:
Physical Ethernet interfaces

Virtual Ethernet interface

A MAC ACL can also be applied to a port-profile attached to a physical Ethernet interface or a virtual Ethernet interface.

Note: ACL cannot be applied on Port-channel interface. However it can be applied on a physical ethernet interface which is not part of the portchannel.

Before You Begin
Before beginning this procedure, be sure of the following:

You are logged in to the CLI in EXEC mode

The ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# interface {ethernet | vethernet} port
Places you into interface configuration mode for the specified interface.

Step 3 switch(config-if)# mac port access-group access-list [in | out]
Applies a MAC ACL to the interface.

Step 4 switch(config-if)# show running-config aclmgr (Optional)
Displays the ACL configuration.

Step 5 switch(config-if)# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# interface ethernet 1
switch(config-if)# mac port access-group acl-mac-01 in
switch(config-if)#  show running-config aclmgr

!Command: show running-config aclmgr
!Time: Wed Mar 13 03:38:02 2013

version 5.2(1)SK1(2.1)
mac access-list acl-mac-01
    100 permit 00C0.4F00.0000 0000.00FF.FFFF any
    110 permit F866.F222.E5A6 FFFF.FFFF.FFFF any

interface Vethernet1
  mac port access-group acl-mac-01 in
switch(config-if)# copy running-config startup-config
Adding a MAC ACL to a Port Profile
Before You Begin
Before beginning this procedure, be sure you have done the following:

Logged in to the CLI in EXEC mode.

Created the MAC ACL to add to this port profile and know its name.

If you are using an existing port profile, know its name.

If you are creating a new port profile, know the interface type (Ethernet or vEthernet) and the name you want to give the profile.

Know the direction of packet flow for the access list.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Places you into global configuration mode.

Step 2 switch(config)# port-profile [type {ethernet | vethernet}] name
Places you in port profile configuration mode for the named port profile.

Step 3 switch(config-port-prof)# mac port access-group name {in | out}
Adds the named ACL to the port profile for either inbound or outbound traffic.

Step 4 switch(config-port-prof)# show port-profile name profile-name (Optional)
Displays the configuration for verification.

Step 5 switch(config-port-prof)# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# port-profile vm_eth1
switch(config-port-prof)# mac port access-group acl-mac-01 out
switch(config-port-prof)# show port-profile name vm_eth1

port-profile vm_eth1
type: Vethernet
description:
status: enabled
max-ports: 32
min-ports: 1
inherit:
config attributes:
mac port access-group acl-mac-01 out
no shutdown
evaluated config attributes:
mac port access-group acl-mac-01 out
no shutdown
assigned interfaces:
port-group: vm_eth1
system vlans: none
capability l3control: no
capability iscsi-multipath: no
capability vxlan: no
capability l3-vn-service: no
port-profile role: none
port-binding: static

switch(config-port-prof)# copy running-config startup-config
Verifying MAC ACL Configurations

Use one of the following commands to verify the configuration:

Command

Purpose

show mac access-lists

Displays the MAC ACL configuration.

show mac address-lists summary

Displays a summary of all configured MAC ACLs or a named MAC ACL.

show running-config aclmgr

Displays the ACL configuration, including MAC ACLs and the interfaces they are applied to.

show running-config interface

Displays the configuration of the interface to which you applied the ACL.

Monitoring MAC ACLs

Use the following commands for MAC ACL monitoring:

Command

Purpose

show mac access-lists

Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule.

clear mac access-list counters

Clears statistics for all MAC ACLs or for a specific MAC ACL.

Configuration Examples for MAC ACLs
Configuration Example for Creating a MAC ACL for any Protocol
This example shows how to create a MAC ACL named acl-mac-01 and apply it as a port ACL on a physical Ethernet interface that is not a member of a port-channel and configuration verification with match counters:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# 100 permit 00c0.4f00.0000 0000.00ff.ffff any
switch(config-mac-acl)# 110 permit f866.f222.e5a6 ffff.ffff.ffff any
switch(config-mac-acl)# statistics per-entry
switch(config-mac-acl)# end
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# interface ethernet 3/5
switch(config-if)# mac port access-group acl-mac-01 out
switch(config-if)# show mac access-lists acl-mac-01 summary

MAC ACL acl-mac-01
    statistics per-entry
    Total ACEs Configured:2
    Configured on interfaces:
        Ethernet3/5 - egress (Port ACL)
    Active on interfaces:
        Ethernet3/5 - egress (Port ACL)
switch(config-if)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
    statistics per-entry
    100 permit 00c0.4f00.0000 0000.00ff.ffff any [match=0]
    110 permit f866.f222.e5a6 ffff.ffff.ffff any [match=546]
switch(config-if)# clear mac access-list counters
switch(config-if)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
    statistics per-entry
    100 permit 00c0.4f00.0000 0000.00ff.ffff any [match=0]
    110 permit f866.f222.e5a6 ffff.ffff.ffff any [match=0]
switch(config-if)#
Feature History for MAC ACLs

This table only includes updates for those releases that have resulted in additions to the feature.

Feature Name

Releases

Feature Information

MAC ACL

Release 5.2(1)SK1(2.1)

This feature was introduced.

[an error occurred while processing this directive]