MAC ACL configuration commands
Mac-access-list creation syntax
This is a new command that needs to be created to allow for the configuration of MAC-based access control lists.
Syntax
Syntax
mac-access-list extendedConfigure an extended MAC Access Control List.
Extended MAC ACL Configuration
mac-access-list extended<300>
Configure the extended MAC ACL to filter the packets based on the source MAC address, destination MAC address, ethertype, CoS priority, or VLAN number. The extended MAC ACL number ranges from 300 to 399.
(config)#mac accss-list extended 300 (config-ext-macl)#
Syntax
mac-access-list resequenceRenumber the sequence number of the rules in the MAC ACL specified.
<1-2147483647>
The sequence number assigned to the first rule of the specified MAC ACL.
<1-2147483646>
The increment value that renumbers the subsequent rules in the specified MAC ACL.
Resequencing MAC ACL
mac-access-list resequence200
1
10
Description: Re-number the sequence number of the rules in the MAC ACL specified. The first rule receives the sequence number specified in the start-seq-num and the subsequent rule numbers increment per the increment value.
(config)# mac-access-list resequence 300 1 10
Mac-access-list standard configuration context
This command is used to configure MAC ACL with a simplified configuration. A simplified configuration provides a way to easily configure MAC ACLs that only require matching on a source MAC address.
Syntax
[no]SEQ-NUM
< permit | deny > < any | host >SRC-MAC
|SRC-MAC-MASK
log
permit
Packets matching the specified Ethernet header information.
deny
Packets matching the specified Ethernet header information.
any
Match the packets with any source MAC address.
host
Match the packets with the specified source MAC address.
SRC-MAC
Match the packets belonging to the specified source MAC address range.
SRC-MAC-MASK
The MAC address group mask.
log
Log a debug message when the MAC ACL rule is hit.
Configure standard MAC ACL
(config)# mac-access-list standard 200 (config-std-macl)# permit AABB.CCDD.EEFF 0000.0000.FFFF (config-std-macl)# deny host AABB.CCDD.EEFF log
Syntax
Mac-access-list extended configuration context
Syntax
[no]SEQ-NUM
< permit | deny > < any | host >SRC-MAC
|SRC-MAC-MASK
< any | host >DST-MAC
|DST-MAC-MASK
< any |ETHERTYPE
cosCOS
log
Used to configure an extended MAC ACL. The extended capabilities allow for matching on source MAC address, destination Mac address, EtherType, CoS, and VLAN. The VLAN value is only applicable when the MAC ACL is applied to a port or trunk interface.
permit
Packets matching the specified Ethernet Header information.
deny
Packets matching the specified Ethernet Header information.
any
Match packets with any source/destination MAC address.
host
Match packets with the specified source/destination MAC address.
SRC-MAC
Match packets belonging to the specified source/destination MAC address range.
SRC-MAC-MASK
The source MAC address group mask.
DST-MAC-MASK
The destination MAC address group mask.
<0x600-0xFFFF>
Match a specific EtherType protocol.
aarp
AppleTalk Address Resolution Protocol (AARP)
appletalk
AppleTalk/EtherTalk
arp
Address Resolution Protocol (ARP)
fcoe
Fibre Channel over Ethernet
fcoe-init
Fibre Channel over Ethernet Initialization
lldp
Link Layer Discovery Protocol
ip
Internet Protocol Version 4
ipv6
Internet Protocol Version 6
ipx-arpa
IPX Advanced Research Projects Agency (ARPA)
ipx-non-arpa
IPX non-ARPA
is-is
Intermediate System to Intermediate System
mpls-unicast
MPLS Unicast
mpls-multicast
MPLS Multicast
q-in-q
IEEE 802.1ad encapsulation
rbridge
RBridge Channel Protocol
trill
IETF TRILL protocol
wake-on-lan
Wake on LAN
log
Log a debug message when the MAC ACL rule is hit.
cos
Match packets with a specified 802.1Q Priority Code Point value.
vlan
Match packets with the specified VLAN value.
VLAN-ID
Match packets with the specified VLAN value.
<0-7>
Match packets with a specified 802.1Q Priority Code Point value.
Remark command
The remark command allows for the insertion of a string at the specified sequence number. The remark will consume the sequence number where it is specified and will remain in proper order if the list is resequenced. The remark ability provides a way of tracking notes inside the given ACL but they do not affect the behavior of the ACL.
Syntax
Mac-access-list application syntax (PACL)
This command is used to apply a MAC ACL to an interface.
Syntax
Mac-access-list application syntax (VACL)
This command is used to apply a MAC ACL to a VLAN .
Syntax
Show access-list
Syntax
show access-listACL-NAME-STR
config | ports | radius | resources | tunnel<TUNNEL-ID>
| vlan<VLAN-ID>
Show access control list information. If
no
parameters are specified, a table of ACL information is displayed.
ACL-NAME-STR
Display detailed information about the specified ACL.
config
Show all configured ACLs on the switch using the CLI syntax used to create them.
ports
Show ACLs applied to the specified ports.
radius
Display ACLs applied via RADIUS.
resources
Display ACL resource usage and availability.
tunnel
Show ACLs applied to the specified tunnel.
vlan
Show ACLs applied to the specified VLAN.
Show access-list by name
This command is used to display the details about a specific ACL.
Syntax
Show access-list 300
switch(config)# show access-list 300 Access Control Lists Name: 300 Type: MAC Extended Applied: No SEQ: Entry --------------------------------------------- 10 Action : permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Dst MAC: 4444.5555.6666 Mask: ffff.ffff.0000 Ethertype: aarp CoS: 7 VLAN ID: 1
Show access-list 200
switch(config)# show access-list 200 Access Control Lists Name: 200 Type: MAC Standard Applied: No SEQ: Entry ------------------------------------------------------ 10 Action: permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Ethertype : any
Show access-list 100
switch(config)# show access-list 100 Name: 100 Type: IPv4 Extended Applied: No SEQ: Entry --------------------------------------------------- 10 Action: deny Src IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Dst IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Proto : TCP TOS : Precedence: 20 Action: deny Src IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Dst IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Proto : UDP TOS : Precedence: -
Show access-list config
Syntax
Show access-list port
Syntax
Show access-list vlan
Syntax
Show access-list resources
Syntax
show access-list resourceUsed to display current resource usage and availability in the policy enforcement engine.
Show access-list resource
(config)# show access-list resource Resource usage in Policy Enforcement Engine | Rules | Rules Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+---+--------+-----+-------| A | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | B | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | E | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | F | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | | Meters |Meters Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+----+--------+-----+------| A | 255 | | 0 | 0 | | | | 0| B | 255 | | 0 | 0 | | | | 0| E | 255 | | 0 | 0 | | | | 0| F | 255 | | 0 | 0 | | | | 0| | Application | | Port Ranges | Application Port Ranges Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+----+--------+-----+------| A | 14 | 0 | 0 | 0 | | 0 | 0 | 0| B | 14 | 0 | 0 | 0 | | 0 | 0 | 0| E | 14 | 0 | 0 | 0 | | 0 | 0 | 0| F | 14 | 0 | 0 | 0 | | 0 | 0 | 0|The hardware (TCAM) resources used by the ACLs configured on the switch is 4 of 8 Policy Engine management resources.
Key ACL Access Control Lists QoS Quality of Service IDM Identity Driven Management VT Virus Throttling Mirror Mirror Policies, Remote Intelligent Mirror endpoints PBR Policy Based Routing Other Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode. Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.
Show statistics
The show statistics command will need to be updated to take a MAC parameter.
Syntax
show statistics mac<ACL-NAME-STR>
port<PORT-NUM>
Used to display hit counts for a given MAC ACL.
mac
Display the statistics of MAC ACL.
ACL-NAME-STR
The MAC ACL name.
port
Show statistics for the specified port.
[ethernet] PORT-NUM
The port on which the MAC ACL is applied.
Syntax
clear statistics
The clear statistics command will need to be updated to take a MAC parameter.
Syntax
clear statistics mac<ACL-NAME-STR>
port<PORT-NUM>
Clear all the counters for the ACLs that match the criteria specified.
mac
Clear the statistics for MAC ACL.
ACL-NAME-STR
The MAC ACL name or the MAC ACL number.
port
Clear statistics for the specified port.
[ethernet] PORT-NUM
The port from which the MAC ACL statistics is cleared.
Syntax