-
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
-
Preface
-
New and Changed Information
-
Overview
-
Configuring FIPS
-
Configuring AAA
-
Configuring RADIUS
-
Configuring TACACS+
-
Configuring LDAP
-
Configuring SSH and Telnet
-
Configuring PKI
-
Configuring User Accounts and RBAC
-
Configuring 802.1X
-
Configuring NAC
-
Configuring Cisco TrustSec
-
Configuring IP ACLs
-
Configuring MAC ACLs
-
Configuring VLAN ACLs
-
Configuring Port Security
-
Configuring DHCP
-
Configuring Dynamic ARP Inspection
-
Configuring IP Source Guard
-
Configuring Password Encryption
-
Configuring Keychain Management
-
Configuring Traffic Storm Control
-
Configuring Unicast RPF
-
Configuring Control Plane Policing
-
Configuring Rate Limits
-
Index
-
Feedback
Contents
- Configuring MAC ACLs
- Information About MAC ACLs
- MAC Packet Classification
- Licensing Requirements for MAC ACLs
- Prerequisites for MAC ACLs
- Guidelines and Limitations for MAC ACLs
- Default Settings for MAC ACLs
- Configuring MAC ACLs
- Creating a MAC ACL
- Changing a MAC ACL
- Changing Sequence Numbers in a MAC ACL
- Removing a MAC ACL
- Applying a MAC ACL as a Port ACL
- Applying a MAC ACL as a VACL
- Enabling or Disabling MAC Packet Classification
- Verifying the MAC ACL Configuration
- Monitoring and Clearing MAC ACL Statistics
- Configuration Example for MAC ACLs
- Additional References for MAC ACLs
- Feature History for MAC ACLs
Configuring MAC ACLs
This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.
This chapter contains the following sections:
- Information About MAC ACLs
- Licensing Requirements for MAC ACLs
- Prerequisites for MAC ACLs
- Guidelines and Limitations for MAC ACLs
- Default Settings for MAC ACLs
- Configuring MAC ACLs
- Verifying the MAC ACL Configuration
- Monitoring and Clearing MAC ACL Statistics
- Configuration Example for MAC ACLs
- Additional References for MAC ACLs
- Feature History for MAC ACLs
Information About MAC ACLs
MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.
MAC Packet Classification
MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
Related Tasks
Licensing Requirements for MAC ACLs
This table shows the licensing requirements for this feature.
Product
License Requirement
Cisco NX-OS
MAC ACLs require no license. However to support up to 128K ACL entries using an XL line card, you must install the scalable services license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Guidelines and Limitations for MAC ACLs
MAC ACLs have the following configuration guidelines and limitations:
- MAC ACLs apply to ingress traffic only.
- ACL statistics are not supported if the DHCP snooping feature is enabled.
- The maximum number of supported MAC ACL entries is 64K for devices without an XL line card and 128K for devices with an XL line card.
- If you try to apply too many ACL entries to a non-XL line card, the configuration is rejected.
- Each forwarding engine on an F1 Series module supports 1000 ingress ACL entries, with 984 entries available for user configuration. The total number of MAC ACL entries for the F1 Series modules is from 1000 to 16,000, depending on which forwarding engines the policies are applied.
- Each of the 16 forwarding engines in an F1 Series module supports up to 250 IPv6 addresses across multiple ACLs.
- F1 Series modules do not support ACL logging.
- F1 Series modules do not support bank chaining.
- For M Series modules, the mac packet-classify command enables a MAC ACL for port and VLAN policies. For F2 Series modules, the mac packet-classify command enables a MAC ACL for port policies but an IPv4 or IPv6 ACL for VLAN policies.
- Each of the 12 forwarding engines in an F2 Series module has 16,000 total TCAM entries, equally split across two banks. 168 default entries are reserved. Each forwarding engine also has 512 IPv6 compression TCAM entries.
Configuring MAC ACLs
- Creating a MAC ACL
- Changing a MAC ACL
- Changing Sequence Numbers in a MAC ACL
- Removing a MAC ACL
- Applying a MAC ACL as a Port ACL
- Applying a MAC ACL as a VACL
- Enabling or Disabling MAC Packet Classification
Creating a MAC ACL
SUMMARY STEPS
1. configure terminal
2. mac access-list name
3. {permit | deny} source destination protocol
4. (Optional) statistics per-entry
5. (Optional) show mac access-lists name
6. (Optional) copy running-config startup-config
DETAILED STEPSChanging a MAC ACL
Before You BeginSUMMARY STEPSUse the show mac access-lists command with the summary keyword to find the interfaces that a MAC ACL is configured on.
1. configure terminal
2. mac access-list name
3. (Optional) [sequence-number] {permit | deny} source destination protocol
4. (Optional) no {sequence-number | {permit | deny} source destination protocol}
5. (Optional) [no] statistics per-entry
6. (Optional) show mac access-lists name
7. (Optional) copy running-config startup-config
DETAILED STEPSChanging Sequence Numbers in a MAC ACL
SUMMARY STEPSYou can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
1. configure terminal
2. resequence mac access-list name starting-sequence-number increment
3. (Optional) show mac access-lists name
4. (Optional) copy running-config startup-config
DETAILED STEPSRemoving a MAC ACL
SUMMARY STEPS
1. configure terminal
2. no mac access-list name
3. (Optional) show mac access-lists name summary
4. (Optional) copy running-config startup-config
DETAILED STEPSApplying a MAC ACL as a Port ACL
Before You BeginSUMMARY STEPSEnsure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application.
1. configure terminal
2. Enter one of the following commands:
3. mac port access-group access-list
4. (Optional) show running-config aclmgr
5. (Optional) copy running-config startup-config
DETAILED STEPSEnabling or Disabling MAC Packet Classification
Before You BeginSUMMARY STEPSThe interface must be configured as a Layer 2 interface.
Note
If the interface is configured with the ip port access-group command or the ipv6 port traffic-filter command, you cannot enable MAC packet classification until you remove the ip port access-group and ipv6 port traffic-filter commands from the interface configuration.
1. configure terminal
2. Enter one of the following commands:
3. [no] mac packet-classify
4. (Optional) Enter one of the following commands:
5. (Optional) copy running-config startup-config
DETAILED STEPSRelated Concepts
Verifying the MAC ACL Configuration
To display MAC ACL configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
Command
Purpose
show mac access-lists
Displays the MAC ACL configuration.
show running-config aclmgr [all]
Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.
Note Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
show startup-config aclmgr [all]
Displays the ACL startup configuration.
Note Beginning with Cisco NX-OS Release 5.2, this command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.
Monitoring and Clearing MAC ACL Statistics
Use the show mac access-lists command to monitor statistics about a MAC ACL, including the number of packets that have matched each rule.
To monitor or clear MAC ACL statistics, use one of the commands in this table. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
Command
Purpose
show mac access-lists
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule.
clear mac access-list counters
Clears statistics for all MAC ACLs or for a specific MAC ACL.
Configuration Example for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01 permit 00c0.4f00.0000 0000.00ff.ffff any interface ethernet 2/1 mac port access-group acl-mac-01Feature History for MAC ACLs
This table lists the release history for this feature.
Table 2 Feature History for MAC ACLsFeature Name
Releases
Feature Information
MAC ACLs
6.1(1)
Updated for M2 Series modules.
MAC ACLs
6.0(1)
Updated for F2 Series modules.
MAC ACLs
5.2(1)
Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.
MAC ACLs
5.0(2)
Support was added for up to 128,000 ACL entries when using an XL line card, provided a scalable services license is installed.
MAC ACLs
4.2(1)
Support was added for MAC packet classification.
