MAC Layer 2 Access Control Lists

The ability to filter packets in a modular and scalable way is important for both network security and network management. Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. MAC ACLs are ACLs that filter traffic using information in the layer 2 header of each packet.

Layer 2 MAC ACLs allow the permission or denial of the packets based on the MAC source and destination addresses. This module describes how to implement MAC ACLs.

Prerequisites for MAC Layer 2 Access Control Lists

Knowledge of how service instances are configured.
Knowledge of extended MAC ACLs and how they are configured.

Restrictions for MAC Layer 2 Access Control Lists

The following limitations and configuration guidelines apply when configuring MAC Layer 2 ACLs:

MAC ACL is only supported on the port level.
Classification based on QoS ACL is not supported for MAC ACL.
MAC ACLs apply to only ingress traffic.
MAC ACL is not supported on EVC.
MAC ACL is not supported on VLAN interface.
MAC ACL occupies the layer 2 ACL slice based on the availability of the Ingress Field Processor (IFP) slice.
MAC ACL is supported on 1G and 10G interfaces.
MAC ACL is supported on Gigabit Ethernet interface and its bundle derivatives.
MAC ACL is not supported on Multilink Point-to-Point (MLPPP) interface.
MAC ACL and IP ACLs are not supported together on an interface.
Named MAC ACLs are only supported.
MAC ACLs share many fundamental concepts including the configurations and limitations with IP ACLs.
A maximum of 128 entries can be configured per MAC ACL slice.

How to Configure MAC Layer 2 Access Control Lists

Creating a Layer 2 ACL

Perform this task to create a Layer 2 ACL with a single ACE.

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	mac-access-list extended `name` Example: `Device(config)# mac-access-list extended test-12-acl`	Defines an extended MAC ACL and enters mac access list control configuration mode.
Step 4	permit {{`src-mac` `mask` \| any } {`dest-mac` `mask` \| any }} Example: `Device(config-ext-macl)# permit host 00aa.00bb.00cc host 00aa.00bb.00dd`	Allows forwarding of layer 2 traffic if the conditions are matched. Creates an ACE for the ACL.

Configuring MAC Layer 2 ACL on an Interface

Perform this task to configure the MAC layer 2 ACL on an interface.

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	# mac-access-list extended `name` Example: `Device(config)# mac-access list extended test-12-acl`	Defines an extended MAC ACL and enters mac access control list configuration mode.
Step 4	permit {`host` `src-mac` \| `src-mac mask` any } {`host` `dest-mac` \| `dest-mac mask` any } Example: `Device(config-ext-macl)# permit host 00aa.bbcc.ddeb host 00bb.bbcc.ddeb`	Allows forwarding of Layer 2 traffic if the conditions are matched. This creates an ACE for the ACL.
Step 5	deny any any Example: `Device(config-ext-macl)# deny any any`	Prevents forwarding of Layer 2 traffic except for the allowed ACEs.
Step 6	exit Example: `Device(config-ext-macl)# exit`	Exits the current command mode and returns to global configuration mode.
Step 7	interface `type` `number` Example: `Device(config)# interface gigabitethernet 1/0/0`	Specifies the interface.
Step 8	mac access-group `access-list-name` in Example: `Device(config-if-srv)# mac access-group test-12-acl in`	Applies a MAC ACL to control incoming traffic on the interface.

Configuration Examples for Layer 2 MAC Access Control Lists


      !
      permit host 0001.0001.0001 host 0002.0002.0002 sequence 10 
      deny   any any sequence 20 
      permit any any sequence 30
      .
      .
      .
      .
      !
      interface GigabitEthernet0/0
      no ip address
      negotiation auto
      mac access-group scale in
      end

Verification of configuration

Use the following command to verify the configuration of MAC layer 2 ACL:


      #sh access-lists macacl
      Extended MAC access list macacl 
      permit host 0001.0001.0001 host 0002.0002.0002 sequence 10 
      deny   any any sequence 20 
      permit any any sequence 30

Use the following command to verify the configuration of MAC layer 2 ACL on an interface:


        #sh run int g0/0
        Building configuration...
        Current configuration : 106 bytes
        !
        interface GigabitEthernet0/0
        no ip address
        negotiation auto
        mac access-group scale in
        end

Cisco ASR 901 Series Aggregation Services Router Software Configuration Guide

Bias-Free Language

Book Title

Cisco ASR 901 Series Aggregation Services Router Software Configuration Guide

Chapter Title