Table Of Contents
M Commands
This chapter describes the Cisco NX-OS security commands that begin with M.
mac access-list
To create a MAC access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
Syntax Description
access-list-name
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long but cannot contain a space or a quotation mark.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
No MAC ACLs are defined by default.
Use MAC ACLs to filter non-IP traffic. If you disable packet classification, you can use MAC ACLs to filter all traffic.
When you use the mac access-list command, the device enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the mac port access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
deny any any protocolThis implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Use the statistics per-entry command to configure the device to record statistics for each rule in a MAC ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit rule, you must explicitly configure a rule to deny the packets.
This command does not require a license.
Examples
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
switch# conf tswitch(config)# mac access-list mac-acl-01switch(config-acl)#Related Commands
mac packet-classify
To enable MAC packet classification on a Layer 2 interface, use the mac packet-classify command. To disable MAC packet classification, use the no form of this command.
mac packet-classify
no mac packet-classify
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
When MAC packet classification is enabled on a Layer 2 interface, a MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic. Also, you cannot apply an IP port ACL on the interface.
When MAC packet classification is disabled on a Layer 2 interface, a MAC ACL that is on the interface applies only to non-IP traffic entering the interface. Also, you can apply an IP port ACL on the interface.
To configure an interface as a Layer 2 interface, use the switchport command.
Examples
This example shows how to configure an Ethernet interface to operate as a Layer 2 interface and to enable MAC packet classification:
switch# conf tswitch(config)# interface ethernet 2/3switch(config-if)# switchportswitch(config-if)# mac packet-classifyswitch(config-if)#This example shows how to view the configuration of an Ethernet interface and the error message that appears if you try to apply an IP port ACL to the interface when MAC packet classification is enabled:
switch(config)# show running-config interface ethernet 2/3!Command: show running-config interface Ethernet2/3!Time: Wed Jun 24 13:06:49 2009version 4.2(1)interface Ethernet2/3ip access-group ipacl inmac port access-group macaclswitchportmac packet-classifyswitch(config)# interface ethernet 2/3switch(config-if)# ip port access-group ipacl inERROR: The given policy cannot be applied as mac packet classification is enabled on this portswitch(config-if)#Related Commands
mac port access-group
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
Syntax Description
access-list-name
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic, unless the device is configured to not classify traffic based on Layer 3 headers. If packet classification is disabled, MAC ACLs apply to all traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
•Layer 2 interfaces
•Layer 2 Ethernet port-channel interfaces
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command on page 388.
The device applies MAC ACLs only to inbound traffic. When the device applies a MAC ACL, the device checks packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This command does not require a license.
Examples
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 2/1:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# mac port access-group mac-acl-01This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 2/1:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# no mac port access-group mac-acl-01 inRelated Commands
match (class-map)
To configure match criteria for control place class maps, use the match command. To delete match criteria for a control plane policy map, use the no form of the command.
match access-group name access-list
match exception {[ip | ipv6] {icmp {redirect | unreachable} | option}}
match protocol arp
match redirect {arp-inspect | dhcp-snoop}
no match access-group name access-list
no match exception {[ip | ipv6] {icmp {redirect | unreachable} | option}}
no match protocol arp
no match redirect {arp-inspect | dhcp-snoop}
Syntax Description
Defaults
None
Command Modes
Class map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.0(3)
Added support for policing IPv6 packets.
4.0(1)
This command was introduced.
Usage Guidelines
You must create the IP ACLs or MAC ACLs before you reference them in this command.
You can use this command only in the default VDC.
This command does not require a license.
Examples
This example shows how to specify a match criteria for a control plane class map:
switch# config tswitch(config)# class-map type control-plane ClassMapAswitch(config-pmap)# match exception ip icmp redirectswitch(config-pmap)# match redirect arp-inspectThis example shows how to remove a criteria for a control plane class map:
switch# config tswitch(config)# class-map type control-plane ClassMapAswitch(config-pmap)# no match exception ip icmp redirectRelated Commands
match (VLAN access-map)
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match {ip | ipv6 | mac} address access-list-name
no match {ip | ipv6 | mac} address access-list-name
Syntax Description
Defaults
None
Command Modes
VLAN access-map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can specify one or more match commands per entry in a VLAN access map.
By default, the device classifies traffic and applies IPv4 ACLs to IPv4 traffic, IPv6 ACLs to IPv6 traffic, and MAC ACLs to all other traffic.
This command does not require a license.
Examples
This example shows how to create a VLAN access map named vlan-map-01 and add two entries that each have two match commands and one action command:
switch(config-access-map)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-01switch(config-access-map)# action forwardswitch(config-access-map)# match mac address mac-acl-00fswitch(config-access-map)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-320switch(config-access-map)# match mac address mac-acl-00eswitch(config-access-map)# action dropswitch(config-access-map)# show vlan access-mapVlan access-map vlan-map-01 10match ip: ip-acl-01match mac: mac-acl-00faction: forwardVlan access-map vlan-map-01 20match ip: ip-acl-320match mac: mac-acl-00eaction: dropRelated Commands
monitor session
To configure an access control list (ACL) capture session in order to selectively monitor traffic on an interface or VLAN, use the monitor session command.
monitor session session type acl-capture
Syntax Description
session
Session ID. The range is from 0 to 48.
type
Specifies a session type.
acl-capture
Creates an ACL capture session.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Command Historynetwork-admin
vdc-admin
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure an ACL capture session:
switch# configure terminal
switch(config)# monitor session 5 type acl-capture
switch(config-acl-capture)#