The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure MAC access lists (ACLs) on NX-OS devices.
This chapter includes the following sections:
•Verifying MAC ACL Configurations
•Displaying and Clearing MAC ACL Statistics
•Example Configuration for MAC ACLs
MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet.
MAC ACLs have the following prerequisites:
•You are familiar with MAC addressing and non-IP protocols to configure MAC ACLs.
•You are familiar with the concepts in the "Information About ACLs" section.
This section includes the following topics:
•Changing Sequence Numbers in a MAC ACL
•Applying a MAC ACL as a Port ACL
Use this procedure to create a MAC ACL and add rules to it.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
1. config t
2. mac access-list name
3. {permit | deny} source destination protocol
4. statistics per-entry
5. show mac access-lists name
6. copy running-config startup-config
Use this procedure to change an existing MAC ACL such as adding and removing rules.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•In an existing MAC ACL, you cannot change existing rules.
•In an existing MAC ACL, you can add and remove rules.
•Use the resequence command to reassign sequence numbers, such as when adding rules between existing sequence numbers.
1. config t
2. mac access-list name
3. [sequence-number] {permit | deny} source destination protocol
4. no {sequence-number | {permit | deny} source destination protocol}
5. [no] statistics per-entry
6. show mac access-lists name
7. copy running-config startup-config
Use this procedure to remove a MAC ACL.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Make sure that you know whether the ACL is applied to an interface.
•You can remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, removed ACLs are considered empty.
•To find the interfaces that a MAC ACL is configured on, use the show mac access-lists command with the summary keyword.
1. config t
2. no mac access-list name
3. show mac access-lists name summary
4. copy running-config startup-config
Use this procedure to change sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. For more information, see the "About Rules" section.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
1. config t
2. resequence mac access-list name starting-sequence-number increment
3. show mac access-lists name
4. copy running-config startup-config
Use this procedure to apply a MAC ACL as a port ACL.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Make sure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring MAC ACLs, see the "Configuring MAC ACLs" section.
•A MAC ACL can also be applied to a port using a port profile. For more information, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(1).
1. config t
2. interface vethernet port
3. mac port access-group access-list [in | out]
4. show running-config aclmgr
5. copy running-config startup-config
To display MAC ACL configuration information, use one of the following commands:
For detailed information about the fields in the output from these commands, see the Cisco NX-OS Security Command Reference.
Use the following commands to display or clear statistics about a MAC ACL, including the number of packets that have matched each rule.
For detailed information about these commands, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any
interface vethernet 35
mac port access-group acl-mac-01 in
Table 9-1 lists the default settings for MAC ACL parameters.
|
|
---|---|
MAC ACLs |
No MAC ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs (see the "Implicit Rules" section) |
For additional information related to implementing MAC ACLs, see the following sections:
|
|
---|---|
Concepts about ACLs |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
This section provides the MAC ACL release history.
|
|
|
---|---|---|
MAC ACL |
4.0 |
This feature was introduced. |