The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ability to filter packets in a modular and scalable way is important for both network security and network management. Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. In Metro Ethernet networks, ACLs are directly applied on Ethernet virtual circuits (EVCs).
Layer 2 Access Control Lists on EVCs is a security feature that allows packet filtering based on MAC addresses. This module describes how to implement ACLs on EVCs.
Knowledge of how service instances must be configured.
Knowledge of extended MAC ACLs and how they must be configured.
A maximum of 512 access control entries (ACEs) are allowed for a given ACL, with the limitation that it does not exceed the maximum tcam entries.
L2 ACL is supported over port channel with Normal EFPs.
Egress L2 ACL on EVC is not supported.
L2 ACLs are not supported on Trunk EFP.
L2 ACL counters are not supported.
Layer2 ACL can be applied on layer 2 frame without IPv4 or IPv6 header as layer 2 ACL does not support filter on IPv4 or IPv6 traffic.
Layer 2 ACLs function inbound only. The Layer 2 ACLs are not supported at physical interface level.
An Ethernet virtual circuit (EVC) as defined by the Metro Ethernet Forum is a port-level point-to-point or multipoint-to-multipoint Layer 2 circuit. It is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. An EVC contains the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a specified port.
Service instances are configured under a port channel. The traffic carried by the service instance is load balanced across member links. Service instances under a port channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for a service instance uses only one of the member links. Load balancing is achieved by grouping service instances and assigning them to a member link.
Ethernet virtual connection services (EVCS) uses the EVCs and service instances to provide Layer 2 switched Ethernet services. EVC status can be used by a customer edge (CE) device either to find an alternative path to the service provider network or in some cases, to fall back to a backup path over Ethernet or over another alternative service such as ATM.
For information about the Metro Ethernet Forum standards, see the Standards table in the “Additional References” section.
The following points capture the relationship between ACLs and Ethernet Infrastructure (EI):
ACLs can be directly applied on an EVC using the command-line interface (CLI). An ACL is applied to a service instance, which is the instantiation of an EVC on a given port.
One ACL can be applied to more than one service instance at any time.
One service instance can have one ACL at most applied to it at any time. If a Layer 2 ACL is applied to a service instance that already has a Layer 2 ACL, the new one replaces the old one.
Only named ACLs can be applied to service instances. The command syntax ACLs is retained; the mac access-list extended command is used to create an ACL.
The show ethernet service instance id id interface type number detail command can be used to provide details about ACLs on service instances.
Perform this task to create a Layer 2 ACL with a single ACE.
1.
enable
2.
configure
terminal
3.
mac
access-list
extended
name
4.
permit
{{src-mac
mask |
any} {dest-mac
mask |
any} [protocol [vlan
vlan] [cos
value]]}
Perform this task to apply a Layer 2 ACL to a service instance. Note that packet filtering takes place only after the ACL has been created and applied to the service instance.
Before applying an ACL to a service instance, you must create it using the mac access-list extended command. See the “Creating a Layer 2 ACL” section.
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
service
instance
id
ethernet
5.
encapsulation
dot1q
vlan-id
6.
mac
access-group
access-list-name
in
7.
bridge
-domain
bridge-id
in
Perform this task to configure the same ACL with three ACEs and stop all other traffic on a service instance.
1.
enable
2.
configure
terminal
3.
mac
access-list
extended
name
4.
permit
{src-mac
mask |
any} {dest-mac
mask |
any}
5.
permit
{src-mac
mask |
any} {dest-mac
mask |
any}
6.
permit
{src-mac
mask |
any} {dest-mac
mask} |
any}
7.
deny
any
any
8.
exit
9.
interface
type
number
10.
service
instance
id
ethernet
11.
encapsulation
dot1q
vlan-id
12.
mac
access-group
access-list-name
in
Perform this task to verify that a Layer 2 ACL is present on an EVC. This verification task can be used after an ACL has been configured to confirm its presence.
1.
enable
2.
show
ethernet
service
instance
id
id
interface
type
number
detail
The following example shows how to apply a Layer 2 ACL called mac-20-acl to a service instance. The ACL has five permitted ACEs and all other traffic is not allowed.
enable configure terminal mac access-list extended mac-20-acl
permit 00aa.bbcc.adec 0.0.0 any
permit 00aa.bbcc.bdec 0.0.0 any
permit 00aa.bbcc.cdec 0.0.0 any
permit 00aa.bbcc.edec 0.0.0 any
permit 00aa.bbcc.fdec 0.0.0 any
deny any any exit interface gigabitethernet 10/0/0 service instance 100 ethernet encapsulation dot1q 100 mac access-group mac-20-acl in
The following example shows how to apply a Layer 2 ACL called mac-07-acl to three service instances on the same interface:
enable configure terminal mac access-list extended mac-07-acl
permit 00aa.bbcc.adec 0.0.0 any
permit 00aa.bbcc.bdec 0.0.0 any
permit 00aa.bbcc.cdec 0.0.0 any
deny any any exit interface gigabitethernet 10/0/0 service instance 100 ethernet encapsulation dot1q 100 mac access-group mac-07-acl in service instance 101 ethernet encapsulation dot1q 101 mac access-group mac-07-acl in service instance 102 ethernet encapsulation dot1q 102 mac access-group mac-07-acl in
Perform this task to verify that a Layer 2 ACL is present on an EVC. This verification task can be used after an ACL has been configured to confirm its presence.
1.
enable
2.
show
ethernet
service
instance
id
id
interface
type
number
detail
The following sample output displays the details of a Layer 2 ACL called test-acl on a service instance.
Device# show ethernet service instance id 100 interface gig3/0/1 detail Service Instance ID: 100 L2 ACL (inbound): test-acl Associated Interface: Gig3/0/1 Associated EVC: test L2protocol drop CEVlans: Interface Dot1q Tunnel Ethertype: 0x8100 State: Up L2 ACL permit count: 10255 L2 ACL deny count: 53
The table below describes the significant fields in the output.
Field |
Description |
---|---|
Service Instance ID |
Displays the service instance ID. |
L2 ACL (inbound): |
Displays the ACL name. |
Associated Interface: |
Displays the interface details of the service instance. |
Associated EVC: |
Displays the EVC with which the service instance is associated. |
CEVlans: |
Displays details of the associated VLAN ID. |
State: |
Displays whether the service instance is in an up or down state. |
L2 ACL permit count: |
Displays the number of packet frames allowed to pass on the service instance by the ACL. |
L2 ACL deny count |
Displays the number of packet frames not permitted to pass on the service instance by the ACL. |
The following sample output displays the details of a configured Layer 2 ACL.
Device# show access-lists Extended IP access list ip-acl 10 permit ip any any Extended MAC access list mac-acl permit any any vlan 10 Device# Device#sh access-lists mac-acl Extended MAC access list mac-acl permit any any vlan 10