Configuring MAC ACLs

This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.

Information About MAC ACLs

MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization.

MAC Packet Classification

MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.

MAC packet classification does not work on the Layer 3 control plane protocols such as HSRP, VRRP, OSPF, and so on. If you enable MAC packet classification on the VLANs, the basic functionalities will break on these protocols.

MAC Packet Classification State Effect on Interface

Enabled

  • A MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic.

  • You can apply an IP port ACL on the interface, but it will not filter traffic.

Disabled

  • A MAC ACL that is on the interface applies only to non-IP traffic entering the interface.

  • You can apply an IP port ACL on the interface and it will filter traffic.

Default Settings for MAC ACLs

This table lists the default settings for MAC ACL parameters.

Table 1. Default MAC ACLs Parameters

Parameters

Default

MAC ACLs

No MAC ACLs exist by default

ACL rules

Implicit rules apply to all ACLs

Guidelines and Limitations for MAC ACLs

MAC ACLs have the following configuration guidelines and limitations:

  • MAC ACLs apply to ingress traffic only.

  • Due to a hardware limitation, MAC ACL does not filter ARP packets on Cisco Nexus 3500 platform switches.

Configuring MAC ACLs

Creating a MAC ACL

You can create a MAC ACL and add rules to it.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# mac access-list name

Creates the MAC ACL and enters ACL configuration mode.

Step 3

switch(config-mac-acl)# {permit | deny} source destination protocol

Creates a rule in the MAC ACL.

The permit and deny commands support many ways of identifying traffic.

Step 4

(Optional) switch(config-mac-acl)# statistics per-entry

(Optional)

Specifies that the device maintains global statistics for packets that match the rules in the ACL.

Step 5

(Optional) switch(config-mac-acl)# show mac access-lists name

(Optional)

Displays the MAC ACL configuration.

Step 6

(Optional) switch(config-mac-acl)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to create a MAC ACL: 

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any
switch(config-mac-acl)# statistics per-entry
switch(config-mac-acl)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
        statistics per-entry
        10 permit 00c0.4f00.0000 0000.00ff.ffff any

switch(config-mac-acl)# copy running-config startup-config

Changing a MAC ACL

You can remove a MAC ACL from the device.

Before you begin

Use the show mac access-lists command with the summary keyword to find the interfaces that a MAC ACL is configured on.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# mac access-list name

Enters ACL configuration mode for the ACL that you specify by name.

Step 3

(Optional) switch(config-mac-acl)# [sequence-number] {permit | deny} source destination protocol

(Optional)

Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.

The permit and deny commands support many ways of identifying traffic.

Step 4

(Optional) switch(config-mac-acl)# no {sequence-number | {permit | deny} source destination protocol}

(Optional)

Removes the rule that you specify from the MAC ACL.

The permit and deny commands support many ways of identifying traffic.

Step 5

(Optional) switch(config-mac-acl)# [no] statistics per-entry

(Optional)

Specifies that the device maintains global statistics for packets that match the rules in the ACL.

The no option stops the device from maintaining global statistics for the ACL.

Step 6

(Optional) switch(config-mac-acl)# show mac access-lists name

(Optional)

Displays the MAC ACL configuration.

Step 7

(Optional) switch(config-mac-acl)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to change a MAC ACL: 

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# 100 permit 00c0.4f00.00 0000.00ff.ffff any
switch(config-mac-acl)# 80 permit 00c0.4f00.00 0000.00ff.ffff any
switch(config-mac-acl)# no 80
switch(config-mac-acl)# statistics per-entry
switch(config-mac-acl)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
        statistics per-entry
        10 permit 00c0.4f00.0000 0000.00ff.ffff any
        100 permit 00c0.4f00.0000 0000.00ff.ffff any

switch(config-mac-acl)# copy running-config startup-config

Changing Sequence Numbers in a MAC ACL

You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# resequence mac access-list name starting-sequence-number increment

Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.

Step 3

(Optional) switch(config)# show mac access-lists name

(Optional)

Displays the MAC ACL configuration.

Step 4

(Optional) switch(config)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to change the sequence of a MAC ACL: 

switch# configure terminal
switch(config)# resequence mac access-list acl-mac-01 100 15
switch(config)# show mac access-lists acl-mac-01

MAC ACL acl-mac-01
        statistics per-entry
        100 permit 00c0.4f00.0000 0000.00ff.ffff any
        115 permit 00c0.4f00.0000 0000.00ff.ffff any

switch(config)# copy running-config startup-config

Removing a MAC ACL

You can remove a MAC ACL from the device.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# no mac access-list name

Removes the MAC ACL that you specify by name from the running configuration.

Step 3

(Optional) switch(config)# show mac access-lists name summary

(Optional)

Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces.

Step 4

(Optional) switch(config)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to remove a MAC ACL: 

switch# configure terminal
switch(config)# show mac access-lists

MAC ACL acl-mac-01
        statistics per-entry
        100 permit 00c0.4f00.0000 0000.00ff.ffff any
        115 permit 00c0.4f00.0000 0000.00ff.ffff any
MAC ACL acl-mac-02
        statistics per-entry
        10 permit 00a0.3f00.0000 0000.00dd.ffff any
MAC ACL acl-mac-03
        statistics per-entry
        10 permit 00b0.5f00.0000 0000.00aa.fbbf any

switch(config)# no mac access-list acl-mac-02
switch(config)# show mac access-lists acl-mac-02 summary
switch(config)# show mac access-lists

MAC ACL acl-mac-01
        statistics per-entry
        100 permit 00c0.4f00.0000 0000.00ff.ffff any
        115 permit 00c0.4f00.0000 0000.00ff.ffff any
MAC ACL acl-mac-03
        statistics per-entry
        10 permit 00b0.5f00.0000 0000.00aa.fbbf any

switch(config)# copy running-config startup-config

Applying a MAC ACL as a Port ACL

You can apply a MAC ACL as a port ACL to any of the following interface types:

  • Layer 2 or Layer 3 Ethernet interfaces

  • Layer 2 or Layer 3 port-channel interfaces

Before you begin

Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

Enter one of the following commands:

  • switch(config)# interface ethernet slot/port
  • switch(config)# interface port-channel channel-number

  • Enters interface configuration mode for a Layer 2 or Layer 3 interface.

  • Enters interface configuration mode for a Layer 2 or Layer 3 port-channel interface.

Step 3

switch(config-if)# mac port access-group access-list

Applies a MAC ACL to the interface.

Step 4

(Optional) switch(config-if)#show running-config aclmgr

(Optional)

Displays ACL configuration.

Step 5

(Optional) switch(config-if)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to apply a MAC ACL as a port ACL to an Ethernet interface: 

switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# mac port access-group acl-mac-01
switch(config-if)# show running-config aclmgr

!Command: show running-config aclmgr
!Time: Sat Jul 19 23:36:04 2014

version 6.0(2)A4(1)
mac access-list acl-mac-01
  statistics per-entry
  100 permit 00C0.4F00.0000 0000.00FF.FFFF any
  115 permit 00C0.4F00.0000 0000.00FF.FFFF any
mac access-list acl-mac-03
  statistics per-entry
  10 permit 00B0.5F00.0000 0000.00AA.FBBF any
ip access-list copp-system-acl-bfd
  10 permit udp any any eq 3784
ip access-list copp-system-acl-eigrp
  10 permit eigrp any any
ip access-list copp-system-acl-ftp
  10 permit tcp any any eq ftp-data
  20 permit tcp any any eq ftp
  30 permit tcp any eq ftp-data any
  40 permit tcp any eq ftp any

...

interface Ethernet1/3
  mac port access-group acl-mac-01

switch(config-if)# copy running-config startup-config

This example shows how to apply a MAC ACL as a port ACL to a port-channel interface: 

switch# configure terminal
switch(config)# interface port-channel 5
switch(config-if)# mac port access-group acl-mac-01
switch(config-if)# show running-config aclmgr

!Command: show running-config aclmgr
!Time: Sat Jul 19 23:37:04 2014

version 6.0(2)A4(1)
mac access-list acl-mac-01
  statistics per-entry
  100 permit 00C0.4F00.0000 0000.00FF.FFFF any
  115 permit 00C0.4F00.0000 0000.00FF.FFFF any
mac access-list acl-mac-03
  statistics per-entry
  10 permit 00B0.5F00.0000 0000.00AA.FBBF any
ip access-list copp-system-acl-bfd
  10 permit udp any any eq 3784
ip access-list copp-system-acl-eigrp
  10 permit eigrp any any
ip access-list copp-system-acl-ftp
  10 permit tcp any any eq ftp-data
  20 permit tcp any any eq ftp
  30 permit tcp any eq ftp-data any
  40 permit tcp any eq ftp any


...

interface port-channel5
  mac port access-group acl-mac-01

switch(config-if)# copy running-config startup-config

Enabling or Disabling MAC Packet Classification

You can enable or disable MAC packet classification on a per VLAN basis.

Procedure

  Command or Action Purpose

Step 1

config t

Example:

switch# config t
switch(config)#

Enters global configuration mode.

Step 2

vlan vlan-number

Example:

switch(config)# vlan 10
switch(config-vlan)#

Creates a VLAN interface. The number range is from 1 to 4094.

Step 3

[no] mac packet-classify

Example:

switch(config-vlan)# mac packet-classify
switch(config-vlan)#

Enables MAC packet classification on the vlan. The no option disables MAC packet classification on the vlan.

Step 4

exit

Example:

switch(config-vlan)# exit
switch(config)#

Exits the vlan configuration.

Step 5

(Optional) show running-config vlan vlan-number

(Optional)

Displays the running configuration.

Example

This example shows how to enable MAC packet classification on a per VLAN basis: 

switch# configure terminal
switch(config)# vlan 50
switch(config-vlan)# mac packet-classify
switch(config-vlan)# exit
switch(config)# show running-config vlan 50

!Command: show running-config interface Vlan50
!Time: Wed Aug  6 20:39:03 2014

version 6.0(2)A4(1)

interface Vlan50
  mac packet-classify

switch(config-if)# copy running-config startup-config

Verifying the MAC ACL Configuration

To display MAC ACL configuration information, perform one of the following tasks.

Command

Purpose

show mac access-lists

Displays the MAC ACL configuration.

show running-config aclmgr [all]

Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.

Note

 

The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

show startup-config aclmgr [all]

Displays the ACL startup configuration.

Note

 

The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

Clearing MAC ACL Statistics

You can clear MAC ACL statistics by using the clear mac access-list counters command

Command Purpose

clear mac access-list counters

Clears statistics for all MAC ACLs or for a specific MAC ACL.

Configuring Unicast RPF

This chapter describes how to configure rate limits for egress traffic on Cisco NX-OS devices and includes the following sections:.

Information About Unicast RPF

The Unicast RPF feature reduces problems that are caused by the introduction of malformed or forged (spoofed) IPv4 source addresses into a network by discarding IPv4 packets that lack a verifiable IP source address. For example, a number of common types of Denial-of-Service (DoS) attacks, including Smurf and Tribal Flood Network (TFN) attacks, can take advantage of forged or rapidly changing source IPv4 addresses to allow attackers to thwart efforts to locate or filter the attacks. Unicast RPF deflects attacks by forwarding only the packets that have source addresses that are valid and consistent with the IP routing table.

When you enable Unicast RPF on an interface, the switch examines all ingress packets received on that interface to ensure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This examination of source addresses relies on the Forwarding Information Base (FIB).


Note

Unicast RPF is an ingress function and is applied only on the ingress interface of a switch at the upstream end of a connection.

Unicast RPF verifies that any packet received at a switch interface arrives on the best return path (return route) to the source of the packet by doing a reverse lookup in the FIB. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface from which the packet was received, the source address might have been modified by the attacker. If Unicast RPF does not find a reverse path for the packet, the packet is dropped.


Note

With Unicast RPF, all equal-cost “best” return paths are considered valid, which means that Unicast RPF works where multiple return paths exist, if each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where Enhanced Interior Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist.

Unicast RPF

The Unicast Reverse Path Forwarding (RPF) feature reduces problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of Denial-of-Service (DoS) attacks, including Smurf and Tribal Flood Network (TFN) attacks, can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. Unicast RPF deflects attacks by forwarding only the packets that have source addresses that are valid and consistent with the IP routing table.

Global Statistics

Each time the Cisco NX-OS device drops a packet at an interface due to a failed unicast RPF check, that information is counted globally on the device on a per-forwarding engine (FE) basis. Global statistics on dropped packets provide information about potential attacks on the network, but they do not specify which interface is the source of the attack. Per-interface statistics on packets dropped due to a failed unicast RPF check are not available.

Guidelines and Limitations for Unicast RPF

Unicast RPF has the following configuration guidelines and limitations:

  • In Warp mode that is unique to Cisco Nexus 3548 Series switches, when URPF is enabled, the number of multicast entries is halved from 8k to 4k. Similarly, the number of host entries is also halved from 8k to 4k. In Normal mode, the number of LPM entries supported is halved (from 24k to 12k) but this is similar to that in Cisco Nexus 3000 Series switches.

  • You must apply Unicast RPF at the interface downstream from the larger portion of the network, preferably at the edges of your network.

  • The further downstream that you apply Unicast RPF, the finer the granularity you have in mitigating address spoofing and in identifying the sources of spoofed addresses. For example, applying Unicast RPF on an aggregation device helps to mitigate attacks from many downstream networks or clients and is simple to administer, but it does not help identify the source of the attack. Applying Unicast RPF at the network access server helps limit the scope of the attack and trace the source of the attack; however, deploying Unicast RPF across many sites does add to the administration cost of operating the network.

  • The more entities that deploy Unicast RPF across Internet, intranet, and extranet resources, means that the better the chances are of mitigating large-scale network disruptions throughout the Internet community, and the better the chances are of tracing the source of an attack.

  • Unicast RPF will not inspect IP packets that are encapsulated in tunnels, such as generic routing encapsulation (GRE) tunnels. You must configure Unicast RPF at a home gateway so that Unicast RPF processes network traffic only after the tunneling and encryption layers have been stripped off the packets.

  • You can use Unicast RPF in any “single-homed” environment where there is only one access point out of the network or one upstream connection. Networks that have one access point provide symmetric routing, which means that the interface where a packet enters the network is also the best return path to the source of the IP packet.

  • Do not use Unicast RPF on interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, which means that multiple routes to the source of a packet exist. You should configure Unicast RPF only where there is natural or configured symmetry. Do not configure strict Unicast RPF.

  • Unicast RPF allows packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP) can operate correctly.

Default Settings for Unicast RPF

This table lists the default settings for Unicast RPF parameters.

Table 2. Default Unicast RPF Parameter Settings

Parameters

Default

Unicast RPF

Disabled

Configuring Unicast RPF

You can configure one of the following Unicast RPF modes on an ingress interface:

Strict Unicast RPF mode
A strict mode check is successful when Unicast RFP finds a match in the FIB for the packet source address and the ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match. If this check fails, the packet is discarded. You can use this type of Unicast RPF check where packet flows are expected to be symmetrical.
Loose Unicast RPF mode
A loose mode check is successful when a lookup of a packet source address in the FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface. The ingress interface through which the packet is received is not required to match any of the interfaces in the FIB result.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

(Optional) hardware profile forwarding-mode warp lpm-entry lpm-limit host-entry host-entry-limit l2-entry l2-entry limit mcast-entry mcast-entry-limit

Example:

switch(config)# hardware profile forwarding-mode warp lpm-entry 4096 host-entry 4096 l2-entry 8192 mcast-entry 4096
 (Optional)

Configures the specified carve value for lpm-entry, host-entry, and mcast-entry in forwarding-mode. For more details on the TCAM carve value of wrap mode, see .

Note

 

This command is applicable only for wrap mode when URPF is enabled.

Step 3

[no] system urpf disable

Example:

switch(config)# no system urpf disable

Enables Unicast RPF on the switch.

Note

 

You must reload the Cisco NX-OS switch to apply the Unicast RPF configuration.

Step 4

interface ethernet slot/port

Example:

switch(config)# interface ethernet 1/3
switch(config-if)#

Specifies an Ethernet interface and enters interface configuration mode.

Step 5

ip verify unicast source reachable-via {any [allow-default] | rx}

Example:

switch(config-if)# ip verify unicast source reachable-via any

Configures Unicast RPF on the interface for IPv4.

The any keyword specifies loose Unicast RPF.

If you specify the allow-default keyword, the source address lookup can match the default route and use that for verification.

The rx keyword specifies strict Unicast RPF.

Step 6

exit

Example:

switch(config-cmap)# exit
switch(config)#

Exits class map configuration mode.

Step 7

(Optional) show ip interface ethernet slot/port

Example:

switch(config)# show ip interface ethernet 1/3
 (Optional)

Displays the IP information for an interface.

Step 8

(Optional) show running-config interface ethernet slot/port

Example:

switch(config)# show running-config interface ethernet 1/3
 (Optional)

Displays the configuration for an interface in the running configuration.

Step 9

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Configuration Examples for Unicast RPF

The following example shows how to configure loose Unicast RFP for IPv4 packets: 

no system urpf disable
interface Ethernet1/3
  ip address 172.23.231.240/23
  ip verify unicast source reachable-via any

The following example shows how to configure strict Unicast RPF for IPv4 packets: 

no system urpf disable
interface Ethernet1/2
  ip address 172.23.231.240/23
  ip verify unicast source reachable-via rx

Verifying the Unicast RPF Configuration

To display Unicast RPF configuration information, perform one of the following tasks:

Command

Purpose

show running-config interface ethernet slot/port

Displays the interface configuration in the running configuration.

show running-config ip [all]

Displays the IPv4 configuration in the running configuration.

show startup-config interface ethernet slot/port

Displays the interface configuration in the startup configuration.

show startup-config ip

Displays the IP configuration in the startup configuration.