- Index
- New and Changed Information
- Preface
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring NAC
- Configuring Cisco TrustSec
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Contol Plane Policing
- Configuring Rate Limits
Configuring MAC ACLs
This chapter describes how to configure MAC access lists (ACLs) on NX-OS devices.
This chapter includes the following sections:
•
Licensing Requirements for MAC ACLs
•Verifying MAC ACL Configurations
•Displaying and Clearing MAC ACL Statistics
•Example Configuration for MAC ACLs
Information About MAC ACLs
MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization. For information about these shared concepts, see the "Information About ACLs" section on page 10-1.
Licensing Requirements for MAC ACLs
The following table shows the licensing requirements for this feature:
Prerequisites for MAC ACLs
MAC ACLs have the following prerequisites:
•You must be familiar with MAC addressing and non-IP protocols to configure MAC ACLs.
•You must be familiar with the concepts in the "Information About ACLs" section on page 10-1.
Guidelines and Limitations
MAC ACLs have the following configuration guidelines and limitations:
•MAC ACLs apply to ingress traffic only.
•ACL statistics are not supported if the DHCP snooping feature is enabled.
Configuring MAC ACLs
This section includes the following topics:
•Changing Sequence Numbers in a MAC ACL
•Applying a MAC ACL as a Port ACL
Creating a MAC ACL
You can create a MAC ACL and add rules to it.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in.
SUMMARY STEPS
1. config t
2. mac access-list name
3. {permit | deny} source destination protocol
4. statistics per-entry
5. show mac access-lists name
6. copy running-config startup-config
DETAILED STEPS
Changing a MAC ACL
In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For more information, see the "Changing Sequence Numbers in a MAC ACL" section.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in.
SUMMARY STEPS
1. config t
2. mac access-list name
3. [sequence-number] {permit | deny} source destination protocol
4. no {sequence-number | {permit | deny} source destination protocol}
5. [no] statistics per-entry
6. show mac access-lists name
7. copy running-config startup-config
DETAILED STEPS
Removing a MAC ACL
You can remove a MAC ACL from the device.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in.
Ensure that you know whether the ACL is applied to an interface. The device allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the device considers the removed ACL to be empty. Use the show mac access-lists command with the summary keyword to find the interfaces that a MAC ACL is configured on.
SUMMARY STEPS
1. config t
2. no mac access-list name
3. show mac access-lists name summary
4. copy running-config startup-config
DETAILED STEPS
Changing Sequence Numbers in a MAC ACL
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. For more information, see the "About Rules" section on page 10-5.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in.
SUMMARY STEPS
1. config t
2. resequence mac access-list name starting-sequence-number increment
3. show mac access-lists name
4. copy running-config startup-config
DETAILED STEPS
Applying a MAC ACL as a Port ACL
You can apply a MAC ACL as a port ACL to any of the following interface types:
•Layer 2 interfaces
•Layer 3 interfaces
•Port-channel interfaces
BEFORE YOU BEGIN
Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring MAC ACLs, see the "Configuring MAC ACLs" section.
SUMMARY STEPS
1. config t
2. interface ethernet slot/port
interface port-channel channel-number
3. mac port access-group access-list
4. show running-config aclmgr
5. copy running-config startup-config
DETAILED STEPS
Applying a MAC ACL as a VACL
You can apply a MAC ACL as a VACL. For information about how to create a VACL using a MAC ACL, see the "Creating or Changing a VACL" section on page 12-3.
Verifying MAC ACL Configurations
To display MAC ACL configuration information, use one of the following commands:
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0.
Displaying and Clearing MAC ACL Statistics
Use the show mac access-lists command to display statistics about a MAC ACL, including the number of packets that have matched each rule.
To display or clear MAC ACL statistics, use one of the following commands:
For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0.
Example Configuration for MAC ACLs
The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:
mac access-list acl-mac-01
permit 00c0.4f00.0000 0000.00ff.ffff any
interface ethernet 2/1
mac port access-group acl-mac-01
Default Settings
Table 11-1 lists the default settings for MAC ACL parameters.
|
|
|
|---|---|
MAC ACLs |
No MAC ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs (see the "Implicit Rules" section on page 10-6) |
Additional References
For additional information related to implementing MAC ACLs, see the following sections:
Related Documents
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feedback