MAC ACL configuration commands

Mac-access-list creation syntax

This is a new command that needs to be created to allow for the configuration of MAC-based access control lists.

Syntax

mac-access-list standard

Configure a standard MAC Access Control List.

NAME-STR

The standard MAC ACL name.

200-299

The standard MAC ACL number.

Standard MAC ACL Configuration

mac-access-list standard <200>

Description: Configure the standard MAC ACL to filter the packets based on the source MAC address. The standard MAC ACL number ranges from 200 to 299.

(config)#mac accss-list standard 200
(config-std-macl)#

Syntax

mac-access-list extended

Configure an extended MAC Access Control List.

NAME-STR

The extended MAC ACL name.

300-399

The extended MAC ACL number.

Extended MAC ACL Configuration

mac-access-list extended <300>

Configure the extended MAC ACL to filter the packets based on the source MAC address, destination MAC address, ethertype, CoS priority, or VLAN number. The extended MAC ACL number ranges from 300 to 399.

(config)#mac accss-list extended 300
(config-ext-macl)#

Syntax

mac-access-list resequence

Renumber the sequence number of the rules in the MAC ACL specified.

<1-2147483647>

The sequence number assigned to the first rule of the specified MAC ACL.

<1-2147483646>

The increment value that renumbers the subsequent rules in the specified MAC ACL.

Resequencing MAC ACL

mac-access-list resequence 200 1 10

Description: Re-number the sequence number of the rules in the MAC ACL specified. The first rule receives the sequence number specified in the start-seq-num and the subsequent rule numbers increment per the increment value.

(config)# mac-access-list resequence 300 1 10

[NOTE: ]

NOTE:

Similar Command

ip access-list


Mac-access-list standard configuration context

This command is used to configure MAC ACL with a simplified configuration. A simplified configuration provides a way to easily configure MAC ACLs that only require matching on a source MAC address.

Syntax

[no] SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASK log

permit

Packets matching the specified Ethernet header information.

deny

Packets matching the specified Ethernet header information.

any

Match the packets with any source MAC address.

host

Match the packets with the specified source MAC address.

SRC-MAC

Match the packets belonging to the specified source MAC address range.

SRC-MAC-MASK

The MAC address group mask.

log

Log a debug message when the MAC ACL rule is hit.


[NOTE: ]

NOTE:

Similar Command

(config)#ip access-list standard 1


Configure standard MAC ACL

(config)# mac-access-list standard 200
(config-std-macl)# permit AABB.CCDD.EEFF 0000.0000.FFFF
(config-std-macl)# deny host AABB.CCDD.EEFF log

Syntax

[no] SEQ-NUM remark

Add a comment for the MAC ACL rule specified. The maximum comment length is 100 characters.

Mac-access-list extended configuration context

Syntax

[no] SEQ-NUM < permit | deny > < any | host > SRC-MAC | SRC-MAC-MASK < any | host > DST-MAC | DST-MAC-MASK < any | ETHERTYPE cos COS log

Used to configure an extended MAC ACL. The extended capabilities allow for matching on source MAC address, destination Mac address, EtherType, CoS, and VLAN. The VLAN value is only applicable when the MAC ACL is applied to a port or trunk interface.

permit

Packets matching the specified Ethernet Header information.

deny

Packets matching the specified Ethernet Header information.

any

Match packets with any source/destination MAC address.

host

Match packets with the specified source/destination MAC address.

SRC-MAC

Match packets belonging to the specified source/destination MAC address range.

SRC-MAC-MASK

The source MAC address group mask.

DST-MAC-MASK

The destination MAC address group mask.

<0x600-0xFFFF>

Match a specific EtherType protocol.

aarp

AppleTalk Address Resolution Protocol (AARP)

appletalk

AppleTalk/EtherTalk

arp

Address Resolution Protocol (ARP)

fcoe

Fibre Channel over Ethernet

fcoe-init

Fibre Channel over Ethernet Initialization

lldp

Link Layer Discovery Protocol

ip

Internet Protocol Version 4

ipv6

Internet Protocol Version 6

ipx-arpa

IPX Advanced Research Projects Agency (ARPA)

ipx-non-arpa

IPX non-ARPA

is-is

Intermediate System to Intermediate System

mpls-unicast

MPLS Unicast

mpls-multicast

MPLS Multicast

q-in-q

IEEE 802.1ad encapsulation

rbridge

RBridge Channel Protocol

trill

IETF TRILL protocol

wake-on-lan

Wake on LAN

log

Log a debug message when the MAC ACL rule is hit.

cos

Match packets with a specified 802.1Q Priority Code Point value.

vlan

Match packets with the specified VLAN value.

VLAN-ID

Match packets with the specified VLAN value.

<0-7>

Match packets with a specified 802.1Q Priority Code Point value.


[NOTE: ]

NOTE:

Similar Command

(config)#ip access-list extended 100


Remark command

The remark command allows for the insertion of a string at the specified sequence number. The remark will consume the sequence number where it is specified and will remain in proper order if the list is resequenced. The remark ability provides a way of tracking notes inside the given ACL but they do not affect the behavior of the ACL.

Syntax

[no] SEQ-NUM remark

Add a comment for the MAC ACL or MAC ACL rule specified. The maximum comment length is 100 characters.

Mac-access-list application syntax (PACL)

This command is used to apply a MAC ACL to an interface.

Syntax

mac-access-group ACL-ID in

Apply a MAC ACL to traffic on a port. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.

ASCII-STR

The MAC ACL name.

in

Apply MAC ACL on the inbound packets.


[NOTE: ]

NOTE:

Similar command

ip access-group name in

mac-access-group name in


Mac-access-list application syntax (VACL)

This command is used to apply a MAC ACL to a VLAN .

Syntax

mac-access-group ACL-ID in

Apply a MAC ACL to traffic on a VLAN. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.

ASCII-STR

The MAC ACL name.

in

Apply MAC ACL on the inbound packets.


[NOTE: ]

NOTE:

Similar command

ip access-group name in

Applying a MAC ACL to VLAN 1

(config)#vlan 1
(vlan-1)# mac-access-group name in


Show access-list

Syntax

show access-list ACL-NAME-STR config | ports | radius | resources | tunnel <TUNNEL-ID> | vlan <VLAN-ID>

Show access control list information. If no parameters are specified, a table of ACL information is displayed.

ACL-NAME-STR

Display detailed information about the specified ACL.

config

Show all configured ACLs on the switch using the CLI syntax used to create them.

ports

Show ACLs applied to the specified ports.

radius

Display ACLs applied via RADIUS.

resources

Display ACL resource usage and availability.

tunnel

Show ACLs applied to the specified tunnel.

vlan

Show ACLs applied to the specified VLAN.

Show access-list by name

This command is used to display the details about a specific ACL.

Syntax

show access-list <ACL-ID> config

Show access-list 300

switch(config)# show access-list 300
Access Control Lists
Name: 300
Type: MAC Extended
Applied: No
SEQ: Entry
---------------------------------------------
10 Action : permit
Src MAC: 1111.2222.3333  Mask: ffff.ffff.0000
Dst MAC: 4444.5555.6666  Mask: ffff.ffff.0000
Ethertype: aarp  CoS: 7  VLAN ID: 1

Show access-list 200

switch(config)# show access-list 200
Access Control Lists
Name: 200
Type: MAC Standard
Applied: No
SEQ:  Entry
------------------------------------------------------
10 Action:  permit 
Src MAC:    1111.2222.3333 Mask: ffff.ffff.0000
Ethertype : any 

Show access-list 100

switch(config)# show access-list 100
Name: 100
Type: IPv4 Extended
Applied: No
SEQ:  Entry
---------------------------------------------------
10 Action:  deny
   Src IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Dst IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Proto :     TCP
   TOS   :     Precedence:
20 Action:  deny
   Src IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Dst IP:     0.0.0.0           Mask: 255.255.255.255   Port(s): 
   Proto :     UDP
   TOS   :     Precedence: -

Show access-list v6ACL

switch(config)# show access-list v6ACL
Name: 100
Type: IPv6
Applied: No
SEQ  Entry
----------------------------------------
10  Action:       deny
    Src IP:       Prefix Len: 0
    Dst IP:       Prefix Len: 0
    Src Port(s):  Dst Port(s):
    Proto :       TCP  Option(s):
    Dscp :

Show access-list config

Syntax

show access-list <ACL-ID> config

Used to display a specific ACL as it would be shown in configuration.

mac-access-list

(config)# mac-access-list 300 config
10 permit 1111.2222.3333 ffff.ffff.0000 4444.5555.6666 ffff.ffff.0000 aarp
exit

(config)# mac-access-list 200 config
10 permit 1111.2222.3333 4444.5555.6666 
exit

Show access-list port

Syntax

show access-list port <port-list>

Used to display the current ACLs that are applied to a specified port.

Show access-list

(config)# show access-list port f1
Access Lists for Port F1
IPv4 Inbound : 100   Type: Extended
MAC  Inbound : 300   Type: Extended

Show access-list vlan

Syntax

show access-list vlan < VLAN-ID | all >

Used to display the current ACLs that are applied to a specified VLAN.

VLAN-ID

Show ACLs applied to the specified VLAN.

all

Show ACLs applied to all VLANs.

Show access-list

(config)# show access-list vlan 1
Access Lists for VLAN 1
IPv4 Router Inbound            : (None)
IPv4 VLAN Inbound              : (None)
IPv4 Connection Rate Filter    : (None)
IPv6 Router Inbound            : (None)
IPv6 VLAN Inbound              : (None)
MAC  VLAN Inbound              : 300    Type: Extended

Show access-list resources

Syntax

show access-list resource

Used to display current resource usage and availability in the policy enforcement engine.

Show access-list resource

(config)# show access-list resource

Resource usage in Policy Enforcement Engine

      |  Rules      | Rules Used
Slots |  Available  | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+---+--------+-----+-------|
A     |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
B     |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
E     |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
F     |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |

      |    Meters   |Meters Used
Slots |  Available  | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+----+--------+-----+------|
A     |         255 |           |   0 |   0 |    |        |     |     0|
B     |         255 |           |   0 |   0 |    |        |     |     0|
E     |         255 |           |   0 |   0 |    |        |     |     0|
F     |         255 |           |   0 |   0 |    |        |     |     0|

      | Application |
      | Port Ranges | Application Port Ranges Used
Slots | Available   | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+----+--------+-----+------|
A     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
B     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
E     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
F     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|

The hardware (TCAM) resources used by the ACLs configured on the switch is 4 of 8 Policy Engine management resources.

Key
ACL Access Control Lists
QoS Quality of Service
IDM Identity Driven Management
VT Virus Throttling
Mirror Mirror Policies, Remote Intelligent Mirror endpoints
PBR Policy Based Routing
Other Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode.

Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.

Show statistics

The show statistics command will need to be updated to take a MAC parameter.

Syntax

show statistics mac <ACL-NAME-STR> port <PORT-NUM>

Used to display hit counts for a given MAC ACL.

mac

Display the statistics of MAC ACL.

ACL-NAME-STR

The MAC ACL name.

port

Show statistics for the specified port.

[ethernet] PORT-NUM

The port on which the MAC ACL is applied.

Syntax

show statistics mac <ACL-NAME-STR> vlan <VLAN-ID> in|out|vlan

vlan

Show statistics for the specified VLAN.

VLAN-ID

The VLAN ID or VLAN name.

in

Show statistics for MAC ACLs that are applied inbound.

out

Show statistics for MAC ACLs that are applied outbound.

show statistics mac

show statistics mac 300 port 1 in

show statistics mac 300 vlan 10 in

show statistics mac 300 vlan 10 vlan

show statistics mac superMac vlan 10 in

show statistics mac superMac vlan 10 in 

HitCounts for ACL superMac 
Total 
( 540 )    10 permit any 1111.2222.3333 4444.5555.6666 

clear statistics

The clear statistics command will need to be updated to take a MAC parameter.

Syntax

clear statistics mac <ACL-NAME-STR> port <PORT-NUM>

Clear all the counters for the ACLs that match the criteria specified.

mac

Clear the statistics for MAC ACL.

ACL-NAME-STR

The MAC ACL name or the MAC ACL number.

port

Clear statistics for the specified port.

[ethernet] PORT-NUM

The port from which the MAC ACL statistics is cleared.

Syntax

clear statistics mac <ACL-NAME-STR> port <PORT-NUM> | VLAN <VLAN-ID> in|out|vlan

VLAN

Clear statistics for the specified VLAN.

VLAN-ID

The VLAN ID or VLAN name.

in

Clear statistics for inbound packets on the VLAN.

out

Clear statistics for outbound packets on the VLAN.

Clear statistics mac superMac

clear statistics mac superMac vlan 10 in