- New and Changed Information
- Preface
- Overview
- Managing User Accounts
- Configuring VSD
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH
- Configuring Telnet
- Configuring an IP ACL
- Configuring a MAC ACL
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Disabling the HTTP Server
- Configuration Limits
- Index
Configuring a MAC ACL
This chapter describes how to configure MAC access control lists (ACLs), and includes the following sections:
•Verifying MAC ACL Configurations
•Example Configurations for MAC ACLs
Information About MAC ACLs
MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet.
Prerequisites for MAC ACLs
MAC ACLs have the following prerequisites:
•You are familiar with MAC addressing and non-IP protocols to configure MAC ACLs.
•You are familiar with the concepts in the "Information About ACLs" section.
Guidelines and Limitations
MAC ACLs have the following configuration guidelines and limitations:
•In most cases, ACL processing for IP packets are processed on the I/O modules. Management interface traffic is always processed on the supervisor module, which is slower.
•ACLs are not supported in port channels.
Default Settings
Table 10-1 lists MAC ACL defaults.
|
|
---|---|
MAC ACLs |
No MAC ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs (see the "Implicit Rules" section) |
Configuring MAC ACLs
This section includes the following topics:
•Changing Sequence Numbers in a MAC ACL
•Applying a MAC ACL as a Port ACL
•Adding a MAC ACL to a Port Profile
Creating a MAC ACL
Use this procedure to create a MAC ACL and add rules to it. You can also use this procedure to add the ACL to a port profile.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have a name to assign to the ACL you are creating.
•If you want to also add the ACL to a port-profile, you must know or do the following:
–If using an existing port profile, you have already created it using the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4); and you know its name.
–If creating a new port profile, you know the interface type (Ethernet or vEthernet) and the name you want to give the profile.
–You know the direction of packet flow for the access list.
SUMMARY STEPS
1. config t
2. mac access-list name
3. {permit | deny} source destination protocol
4. statistics per-entry
5. show mac access-lists name
6. copy running-config startup-config
DETAILED STEPS
Changing a MAC ACL
Use this procedure to change an existing MAC ACL, for example, to add or remove rules.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•In an existing MAC ACL, you cannot change existing rules.
•In an existing MAC ACL, you can add and remove rules.
•Use the resequence command to reassign sequence numbers, such as when adding rules between existing sequence numbers.
SUMMARY STEPS
1. config t
2. mac access-list name
3. [sequence-number] {permit | deny} source destination protocol
4. no {sequence-number | {permit | deny} source destination protocol}
5. [no] statistics per-entry
6. show mac access-lists name
7. copy running-config startup-config
DETAILED STEPS
Removing a MAC ACL
Use this procedure to remove a MAC ACL.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Make sure that you know whether the ACL is applied to an interface.
•You can remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, removed ACLs are considered empty.
•To find the interfaces that a MAC ACL is configured on, use the show mac access-lists command with the summary keyword.
SUMMARY STEPS
1. config t
2. no mac access-list name
3. show mac access-lists name summary
4. copy running-config startup-config
DETAILED STEPS
Changing Sequence Numbers in a MAC ACL
Use this procedure to change sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. For more information, see the "Changing Sequence Numbers in a MAC ACL" section.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
SUMMARY STEPS
1. config t
2. resequence mac access-list name starting-sequence-number increment
3. show mac access-lists name
4. copy running-config startup-config
DETAILED STEPS
Applying a MAC ACL as a Port ACL
Use this procedure to apply a MAC ACL as a port ACL.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Make sure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring MAC ACLs, see the "Configuring MAC ACLs" section.
•A MAC ACL can also be applied to a port using a port profile. For information about port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4).
SUMMARY STEPS
1. config t
2. interface vethernet port
3. mac port access-group access-list [in | out]
4. show running-config aclmgr
5. copy running-config startup-config
DETAILED STEPS
Adding a MAC ACL to a Port Profile
You can use this procedure to add a MAC ACL to a port profile:
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already created the MAC ACL to add to this port profile using the "Creating a MAC ACL" procedure; and you know its name.
•If using an existing port profile, you have already created it and you know its name.
•If creating a new port profile, you know the interface type (Ethernet or vEthernet) and the name you want to give the profile.
•For more information about port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(4);
•You know the direction of packet flow for the access list.
SUMMARY STEPS
1. config t
2. port-profile [type {ethernet | vethernet}] profile-name
3. mac port access-group name {in | out}
4. show port-profile [brief | expand-interface | usage] [name profile-name]
5. copy running-config startup-config
DETAILED STEPS
Verifying MAC ACL Configurations
You can use the following commands to verify the MAC ACL configuration:
|
|
---|---|
show mac access-lists |
Displays the MAC ACL configuration. See Example 10-1. |
show running-config aclmgr |
Displays the ACL configuration, including MAC ACLs and the interfaces they are applied to. See Example 10-2. |
show running-config interface |
Displays the configuration of the interface to which you applied the ACL. See Example 10-3. |
Example 10-1 show mac access-list
n1000v# show mac access-list
MAC access list acl-mac-01
10 permit 00c0.4f00.0000 0000.00ff.ffff any
n1000v#
Example 10-2 show running-config aclmgr
n1000v# show running-config aclmgr
!Command: show running-config aclmgr
!Time: Mon Jan 3 15:53:50 2011
version 4.2(1)SV1(4)
mac access-list acl-mac-01
10 permit 00c0.4f00.0000 0000.00ff.ffff any
interface Vethernet35
mac port access-group acl-mac-01 in
n1000v#
Example 10-3 show running-config interface
n1000v# show running-config interface
!Command: show running-config interface
!Time: Mon Jan 3 15:58:25 2011
version 4.2(1)SV1(4)
interface mgmt0
ip address 172.23.180.75/24
interface Vethernet35
mac port access-group acl-mac-01 in
interface Vethernet1998
interface control0
ip address 10.2.10.10/24
n1000v#
Monitoring MAC ACLs
Use the following commands for MAC ACL monitoring.
Example Configurations for MAC ACLs
This example shows how to create MAC ACL acl-mac-01 to permit MAC 00c0.4f00.00.000.00ff.ffff for any protocol, and apply the ACL as a port ACL for outbound traffic on vEthernet interface 35.
config t
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any
interface vethernet 35
mac port access-group acl-mac-01 out
This example shows how to add the MAC ACL allaccess4 to the port profile AccessProf:
config t
port-profile AccessProf
mac port access-group allaccess4 out
show port-profile name AccessProf
port-profile AccessProf
description: allaccess4
type: vethernet
status: disabled
capability l3control: no
pinning control-vlan: -
pinning packet-vlan: -
system vlans: none
port-group:
max ports: 32
inherit:
config attributes:
mac port access-group allaccess4 out
evaluated config attributes:
mac port access-group allaccess4 out
assigned interfaces:
Additional References
For additional information related to implementing MAC ACLs, see the following sections:
Related Documents
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for MAC ACL
This section provides the MAC ACL release history.
|
|
|
---|---|---|
MAC ACL |
4.0(4)SV1(1) |
This feature was introduced. |