Configuring MAC ACLs

This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.

This chapter contains the following sections:

MAC ACLs

A MAC access control list (ACL)

  • filters network traffic using information in the Layer 2 header.

  • works like an IP access control list (ACL) and supports virtualization

  • applies filtering based on MAC addresses instead of IP addresses.

MAC Packet classification

Media Access Control packet characteristics include the following:

  • is identified and filtered using Media Access Control access control lists (MAC ACLs) at Layer 2 interfaces,

  • Packets can be classified to affect how traffic, including both Internet Protocol (IP) and non-Internet Protocol (non-IP), is handled.

  • This enables differentiated control over interface access for security and policy enforcement.

Media Access Control (MAC) packet classification determines whether a Media Access Control access control list (MAC ACL) on a Layer 2 interface applies to all incoming traffic, including Internet Protocol (IP) traffic, or applies only to non-Internet Protocol (non-IP) traffic.

MAC Packet Classification State Effect on the interface

Enabled

  • A Media Access Control access control list (MAC ACL) that is on the interface applies to all traffic entering the interface, including Internet Protocol (IP) traffic.

  • You can apply an IP port ACL to the interface.

Disabled

  • A MAC ACL that is on the interface applies only to non-IP traffic entering the interface.

  • You can apply an Internet Protocol (IP) port access control list (ACL) to the interface.

Licensing Requirements for MAC ACLs

This table shows the licensing requirements for this feature.

Product

License Requirement

Cisco NX-OS

MAC ACLs require no license. Any feature not included in a license package is bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Guidelines and Limitations for MAC ACLs

MAC ACLs have the following configuration guidelines and limitations:

  • MAC ACLs apply to ingress traffic only.

  • If you try to apply too many ACL entries, the configuration might be rejected.

  • MAC packet classification is not supported when a MAC ACL is applied as part of a VACL.

  • MAC packet classification is not supported when MAC ACLs are used as match criteria for QoS policies on Cisco Nexus 9300 Series switch 40G uplink ports.

  • When you define a MAC ACL on the Cisco Nexus 9000 first-generation and 9300-EX switches, you must define the ethertype for the traffic to be appropriately matched. For Cisco Nexus 9300-FX and later release switches, the “all” keyword is available which replaces the need to specify the ethertype.

  • Mac-packet classify knob is partially supported on the Cisco Nexus 9300-EX platform switches. In the absence of a direct field for marking the packet as an L2 packet, the switches match all packets with certain fields, such as src_mac, dst_mac, and vlan in the key field. However, they cannot match on the eth_type field. Therefore, if you install two rules with identical fields, except the MAC protocol number field, then the match conditions will remain identical in the hardware. Hence, although the first entry in the rule sequence will hit for all the packets for all the protocol numbers, the MAC protocol number will be a no-op when the mac-packet classify is configured.

Default Settings for MAC ACLs

Use this table to find the default settings for MAC ACL parameters.

Table 1. Default MAC ACLs parameters

Parameters

Default

MAC ACLs

By default, no MAC ACLs are configured.

ACL rules

Implicit rules are applied to all access control lists.

Configuring MAC ACLs

Create a MAC ACL

You define and configure a MAC access control list to filter traffic based on MAC addresses.

You can use this task to create and configure a MAC access control list (ACL) that includes permit or deny rules in the command-line interface (CLI).

Before you begin

Access the global configuration mode on the NX-OS device.

Procedure

Step 1

Enter global configuration mode by using the configure terminal command .

Example:

switch# configure terminal
switch(config)#

Step 2

Create the MAC ACL and enter ACL configuration mode by using the macaccess-listname command.

Example:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)#

Note

 

The names dynamic, expanded, and summary are reserved for system-defined access lists. Do not use these names for user-defined ACLs, as this can cause conflicts when displaying or verifying your configuration.

Step 3

Create a rule in the MAC access control list by using the { permit | deny } sourcedestination-protocol command.

Example:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# 100 permit mac 00c0.4f00.0000 0000.00ff.ffff any 0x0806

The permit and deny commands support many ways of identifying traffic.

Step 4

(Optional) Specify that the device collects global statistics for packets matching the ACL rules by using the statistics per-entry command.

Example:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# statistics per-entry

Step 5

(Optional) Display the MAC ACL configuration by using the show mac access-listsname command.

Example:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# show mac access-lists acl-mac-01

Step 6

(Optional) Save the configuration by using the copy running-config startup-config command.

Example:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# copy running-config startup-config

You create and configure the MAC access control list with the specified rules. Apply the list to interfaces or verify its configuration.

Modify a MAC ACL

You can use this task to modify a MAC ACL on your device

Modify a MAC ACL by completing these steps:

Before you begin

Use the show mac access-lists command with the summary keyword. Find the interfaces that have a MAC ACL configured.

Procedure

Step 1

Enter the global configuration mode by using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Enter MAC ACL configuration mode for the target ACL by using the macaccess-listname command.

Example:

switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)#

Step 3

(Optional) Create a rule in the MAC ACL by using the [ sequence-number ] { permit | deny } sourcedestination-protocol command.

Example:

switch(config-mac-acl)# 100 permit mac 00c0.4f00.0000 0000.00ff.ffff any 0x0806

You can specify a position for the rule in the ACL by using a sequence number. If you do not provide a sequence number, the rule is added to the end of the list.

Use the permit and deny commands to identify traffic.

Step 4

(Optional) Remove the specific rule by sequence number or criteria by using the no { sequence-number | { permit | deny } sourcedestination-protocol } command.

Example:

switch(config-mac-acl)# no 80

The permit and deny commands support many ways of identifying traffic.

Step 5

(Optional) Use the [ no ] statistics per-entry command to specify the device that maintains global statistics for packets matching the rules in the ACL

Example:

switch(config-mac-acl)# statistics per-entry

Use the no statistics per-entry command to stop the device from maintaining global statistics for packets that match the rules in the ACL.

Step 6

(Optional) You can display the updated MAC ACL configuration by using the show mac access-listsname command.

Example:

switch(config-mac-acl)# show mac access-lists acl-mac-01

Step 7

(Optional) (Optional) Save the configuration by using the copy running-config startup-config command.

Example:

switch(config-mac-acl)# copy running-config startup-config

You modified the specified MAC ACL rule on your device.

What to do next

Verify that you modified the ACL and confirm that your device functions as expected.

Change sequence numbers in a MAC ACL

You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

Procedure

Step 1

Enter global configuration mode by using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Assign sequence numbers to the rules contained in the ACL by using the resequence mac access-listnamestarting-sequence-numberincrement command.

Example:

switch(config)# resequence mac access-list acl-mac-01 100 10

The first rule receives the starting sequence number that you specify. Each subsequent rule receives a number greater than the previous rule. The difference in numbers is determined by the increment number that you specify.

Step 3

(Optional) Display the MAC ACL configuration by using the show mac access-listsname command.

Example:

switch(config)# show mac access-lists acl-mac-01

Step 4

(Optional) Copy the running configuration to the startup configuration by using the copy running-config startup-config command.

Example:

switch(config)# copy running-config startup-config

Remove a MAC ACL

Remove an Access Control List (ACL) from the running configuration to stop specific traffic filtering.

Perform this task when you no longer need an ACL or plan to replace it on the device.

Before you begin

  • You need administrative privileges to modify the device configuration.

  • Identify the name of the ACL you want to remove.

Procedure

Step 1

Enter global configuration mode by using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Remove the MAC ACL by name from the running configuration using the nomacaccess-listname command.

Example:

switch(config)# no mac access-list acl-mac-01
switch(config)#

Step 3

(Optional) Display the MAC ACL configuration by using the show mac access-listsnamesummary command.

Example:

switch(config)# show mac access-lists acl-mac-01 summary

If the ACL remains applied to an interface, the command lists the interfaces.

Step 4

(Optional) Copy the running configuration to the startup configuration by using the copy running-config startup-config command.

Example:

switch(config)# copy running-config startup-config

The switch removes the specified ACL from the running configuration and from the startup configuration if you save the changes.

What to do next

  • Verify that network traffic behaves as expected after removing the ACL.

  • Remove the ACL from any interface where it is still applied.

Apply a MAC ACL as a port ACL

You can apply a MAC ACL as a port ACL to these interface types:

  • Layer 2 Ethernet interfaces

  • Layer 2 port-channel interfaces

Before you begin

Confirm that the required ACL is present and configured to filter traffic appropriately for your use case.

Procedure

Step 1

Enter global configuration mode by using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Enter one of these commands:

  • interfaceethernetslot / port
  • interfaceport-channelchannel-number

Example:

switch(config)# interface ethernet 2/1
switch(config-if)#

Example:

switch(config)# interface port-channel 5
switch(config-if)#

  • Enter interface configuration mode for a Layer 2 or Layer 3 interface.

  • Enter interface configuration mode for a Layer 2 or Layer 3 port-channel interface.

Step 3

Applies a MAC ACL to the interface by using the mac port access-groupaccess-list command.

Example:

switch(config-if)# mac port access-group acl-01

Step 4

(Optional) Display the ACL configuration by using the show running-config aclmgr command.

Example:

switch(config-if)# show running-config aclmgr

Step 5

(Optional) Copies the running configuration to the startup configuration by using the copy running-config startup-config command.

Example:

switch(config-if)# copy running-config startup-config

Apply a MAC ACL as a VACL

You can apply a MAC ACL as a VACL.

Enable or disable MAC packet classification

You can enable or disable MAC packet classification on a Layer 2 interface.

Before you begin

The interface must be configured as a Layer 2 interface.


Note

If the interface is configured with the ip port access-group command or the ipv6 port traffic-filter command, you cannot enable MAC packet classification until you remove the ip port access-group and ipv6 port traffic-filter commands from the interface configuration.

Procedure

Step 1

Enters the global configuration mode by using the configure terminal command.

Example:

switch# configure terminal
switch(config)#

Step 2

Enter one of the following commands:

  • interfaceethernetslot / port
  • interfaceport-channelchannel-number

Example:

switch(config)# interface ethernet 2/1
switch(config-if)#

Example:

switch(config)# interface port-channel 5
switch(config-if)#

  • Enter interface configuration mode for an Ethernet interface, or

  • Enter interface configuration mode for a port-channel interface.

Step 3

Enable MAC packet classification on the interface by using the command [ no ] mac packet-classify .

Example:

switch(config-if)# mac packet-classify

Use the no form of the command to disable MAC packet classification on the interface.

Step 4

(Optional) Enter one of the following commands:

  • show running-config interface ethernetslot / port
  • show running-config interfaceport-channelchannel-number

Example:

switch(config-if)# show running-config interface ethernet 2/1

Example:

switch(config-if)# show running-config interface port-channel 5

  • Display the running configuration of the Ethernet interface, or

  • Display the running configuration of the port-channel interface.

Step 5

(Optional) Copy the running configuration to the startup configuration by using the copy running-config startup-config command.

Example:

switch(config-if)# copy running-config startup-config

Verifying the MAC ACL Configuration

To display MAC ACL configuration information, perform one of the following tasks:

Table 2. Commands to verify MAC ACL configuration

Command

Purpose

show mac access-lists

Displays the MAC ACL configuration.

show running-config aclmgr [all]

Displays the ACL configuration, including MAC ACLs and the interfaces to which MAC ACLs are applied.

Note

 
This command displays the user-configured ACLs in the running configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.

show startup-config aclmgr [all]

Displays the ACL startup configuration.

Note

 
This command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

MAC ACL statistics monitoring and clearing

Use these commands to monitor or clear MAC ACL statistics on the device.

Table 3. Commands for monitoring and clearing MAC ACL statistics

Command

Purpose

show mac access-lists

This command displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the output of show mac access-lists command also includes the number of packets that have matched each rule.

clear mac access-list counters

Clears statistics for MAC ACLs.

Examples of MAC ACL configuration

MAC ACLs (Media Access Control Lists) filter network traffic based on source and destination MAC addresses and are applied to Layer 2 interfaces. 

mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any 0x0806
interface ethernet 2/1
mac port access-group acl-mac-01

This configuration:

  • Creates a MAC ACL named acl-mac-01.

  • Permits Address Resolution Protocol (ARP) packets from the specified MAC address range.

  • Applies the ACL to Ethernet interface 2/1.

Additional references for MAC ACLs

Use this table for related documents for Media Access Control (MAC) access control lists (ACLs).

Table 4. Related documents

Related Topic

Document Title

TAP aggregation

 Configuring TAP Aggregation and MPLS Stripping