The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
ACLs are not supported in port channels.
Parameters |
Default |
---|---|
MAC ACLs |
No MAC ACLs exist by default. |
ACL rules |
Implicit rules apply to all ACLs. |
Configuring MAC ACLs
You can create a MAC ACL and add rules to it. You can also use this procedure to add the ACL to a port profile.
Log in to the CLI in EXEC mode.
Have a name to assign to the ACL that you are creating.
Create a port profile if you want to add the ACL to it.
If you want to also add the ACL to a port profile, you must know the following:
1. switch# configure terminal
2. switch(config)# mac access-list name
3. switch(config-mac-acl)# {permit | deny} source destination protocol
4. (Optional) switch(config-mac-acl)# statistics per-entry
5. (Optional) switch(config-mac-acl)# show mac access-lists name
6. (Optional) switch(config-mac-acl)# copy running-config startup-config
The following example creates a MAC ACL:
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any switch(config-mac-acl)# statistics per-entry switch(config-mac-acl)# show mac access-lists acl-mac-01 MAC ACL acl-mac-01 statistics per-entry 10 permit 00c0.4f00.0000 0000.00ff.ffff any switch# copy running-config startup-config
You can change an existing MAC ACL, such as to add or remove rules.
Use the resequence command to reassign sequence numbers, such as when adding rules between existing sequence numbers.
1. switch# configure terminal
2. switch(config)# mac access-list name
3. (Optional) switch(config-mac-acl)# [sequence-number] {permit | deny} source destination protocol
4. (Optional) switch(config-mac-acl)# no {sequence-number | {permit | deny} source destination protocol}
5. switch(config-mac-acl)# [no] statistics per-entry
6. (Optional) switch(config-mac-acl)# show mac access-lists name
7. switch(config-mac-acl)# copy running-config startup-config
The following example changes a MAC ACL:
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# permit f866.f222.e5a6 ffff.ffff.ffff any switch(config-mac-acl)# no 10 switch(config-mac-acl)# no statistics per-entry switch(config-mac-acl)# end switch# show mac access-lists MAC ACL acl-mac-01 20 permit f866.f222.e5a6 ffff.ffff.ffff any switch# copy running-config startup-config
You can remove a MAC ACL from the switch. Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.
To find the interfaces that a MAC ACL is configured on, use the show mac access-lists command with the summary keyword.
1. switch# configure terminal
2. switch(config)# no mac access-list name
3. (Optional) switch(config)# show mac access-lists name summary
4. (Optional) switch(config)# copy running-config startup-config
The following example removes a MAC ACL:
switch# configure terminal switch(config)# no mac access-list acl-mac-01 switch(config)# show mac access-lists acl-mac-01 summary MAC ACL acl-mac-01 switch(config)# copy running-config startup-config
You can change sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
Log in to the CLI in EXEC mode.
1. switch# configure terminal
2. (Optional) switch(config-mac-acl)# show mac access-lists name
3. switch(config)# resequence mac access-list name starting-sequence-number increment
4. (Optional) switch(config-mac-acl)# show mac access-lists name
5. (Optional) switch(config)# copy running-config startup-config
The following example changes sequence numbers in a MAC ACL:
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# show mac access-lists acl-mac-01 MAC ACL acl-mac-01 10 permit 00c0.4f00.0000 0000.00ff.ffff any 20 permit f866.f222.e5a6 ffff.ffff.ffff any switch(config)# resequence mac access-list acl-mac-01 100 10 switch(config)# show mac access-lists acl-mac-01 MAC ACL acl-mac-01 100 permit 00c0.4f00.0000 0000.00ff.ffff any 110 permit f866.f222.e5a6 ffff.ffff.ffff any switch(config)# copy running-config startup-config
A MAC ACL can also be applied to a port profile that is attached to a physical Ethernet interface or a virtual Ethernet interface.
ACLs cannot be applied on port channel interfaces. However, ACLs can be applied on a physical Ethernet interface that is not part of the port channel.
1. switch# configure terminal
2. switch(config)# interface {ethernet slot-number | vethernet interface-number}
3. switch(config-if)# mac port access-group access-list [in | out]
4. (Optional) switch(config-if)# show running-config aclmgr
5. (Optional) switch(config-if)# copy running-config startup-config
The following example applies a MAC ACL as a port ACL:
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# interface ethernet 1 switch(config-if)# mac port access-group acl-mac-01 in switch(config-if)# show running-config aclmgr !Command: show running-config aclmgr !Time: Wed Mar 13 03:38:02 2013 version 5.2(1)SK1(2.1) mac access-list acl-mac-01 100 permit 00C0.4F00.0000 0000.00FF.FFFF any 110 permit F866.F222.E5A6 FFFF.FFFF.FFFF any interface Vethernet1 mac port access-group acl-mac-01 in switch(config-if)# copy running-config startup-config
Log in to the CLI in EXEC mode.
Create the MAC ACL to add to this port profile and know its name.
If you are using an existing port profile, know its name.
If you are creating a new port profile, know the interface type (Ethernet or vEthernet) and the name you want to give the profile.
Know the direction of packet flow for the access list.
1. switch# configure terminal
2. switch(config)# port-profile [type {ethernet | vethernet}] name
3. switch(config-port-prof)# mac port access-group access-list {in | out}
4. (Optional) switch(config-port-prof)# show port-profile name profile-name
5. (Optional) switch(config-port-prof)# copy running-config startup-config
The following example adds a MAC ACL to a port profile
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# port-profile vm_eth1 switch(config-port-prof)# mac port access-group acl-mac-01 out switch(config-port-prof)# show port-profile name vm_eth1 port-profile vm_eth1 type: Vethernet description: status: enabled max-ports: 32 min-ports: 1 inherit: config attributes: mac port access-group acl-mac-01 out no shutdown evaluated config attributes: mac port access-group acl-mac-01 out no shutdown assigned interfaces: port-group: vm_eth1 system vlans: none capability l3control: no capability iscsi-multipath: no capability vxlan: no capability l3-vn-service: no port-profile role: none port-binding: static switch(config-port-prof)# copy running-config startup-config
Use the following commands to verify the configuration:
Command |
Purpose |
---|---|
show mac access-lists |
Displays the MAC ACL configuration. |
show mac address-lists summary |
Displays a summary of all configured MAC ACLs or a named MAC ACL. |
show running-config aclmgr |
Displays the ACL configuration, including MAC ACLs and the interfaces they are applied to. |
show running-config interface |
Displays the configuration of the interface to which you applied the ACL. |
Use the following commands for MAC ACL monitoring:
Command |
Purpose |
---|---|
show mac access-lists |
Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule. |
clear mac access-list counters |
Clears statistics for all MAC ACLs or for a specific MAC ACL. |
Configuration Examples for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01, apply it as a port ACL on a physical Ethernet interface that is not a member of a port channel, and configure verification with match counters:
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# 100 permit 00c0.4f00.0000 0000.00ff.ffff any switch(config-mac-acl)# 110 permit f866.f222.e5a6 ffff.ffff.ffff any switch(config-mac-acl)# statistics per-entry switch(config-mac-acl)# end switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# interface ethernet 3/5 switch(config-if)# mac port access-group acl-mac-01 out switch(config-if)# show mac access-lists acl-mac-01 summary MAC ACL acl-mac-01 statistics per-entry Total ACEs Configured:2 Configured on interfaces: Ethernet3/5 - egress (Port ACL) Active on interfaces: Ethernet3/5 - egress (Port ACL) switch(config-if)# show mac access-lists acl-mac-01 MAC ACL acl-mac-01 statistics per-entry 100 permit 00c0.4f00.0000 0000.00ff.ffff any [match=0] 110 permit f866.f222.e5a6 ffff.ffff.ffff any [match=546] switch(config-if)# clear mac access-list counters switch(config-if)# show mac access-lists acl-mac-01 MAC ACL acl-mac-01 statistics per-entry 100 permit 00c0.4f00.0000 0000.00ff.ffff any [match=0] 110 permit f866.f222.e5a6 ffff.ffff.ffff any [match=0] switch(config-if)#
Feature Name |
Releases |
Feature Information |
---|---|---|
MAC ACL |
Release 5.2(1)SK1(2.1) |
This feature was introduced. |