Configuring a MAC ACL

Similar documents
Configuring an IP ACL

Send document comments to

Configuring Policy-Based Routing

Configuring the MAC Address Table

Configuring Policy-Based Routing

Configuring Rate Limits

Configuring System Port Profiles

Configuring WCCPv2. Information About WCCPv2. Send document comments to CHAPTER

Configuring IP ACLs. About ACLs

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Configuring Traffic Storm Control

Configuring Session Manager

Implementing Layer 2 Access Lists

Configuring EtherChannels

Send document comments to

Configuring Traffic Storm Control

Configuring IP ACLs. About ACLs

Configuring Layer 2 Switching

Configuring Mutation Mapping

Configuring Classification

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Send document comments to name List name. The range of valid values is 1 to 64.

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Nexus 7000 and 7700 Series Switches Optimized ACL Logging Configuration Example

Configuring Virtual Ethernet Interfaces

Configuring IGMP Snooping

Implementing Access Lists and Prefix Lists

Configuring Unicast RPF

Configuring TAP Aggregation and MPLS Stripping

Configuring IPv6 ACLs

Connecting to the Management Network and Securing Access

Configuring Static and Dynamic NAT Translation

Configuring Local SPAN and ERSPAN

Configuring Port Channels

Configuring IP ACLs. Finding Feature Information

Configuring Layer 2 Switching

Configuring TAP Aggregation and MPLS Stripping

Configuring Logging for Access Lists

Configuring the Catena Solution

ACL and ABF Commands

Configuring EtherChannels

B Commands. bandwidth (interface) Send document comments to

Overview of the Cisco OpenFlow Agent

Configuring Tap Aggregation and MPLS Stripping

Configuring NTP. Information About NTP. This chapter contains the following sections:

Configuring DHCP Snooping

Configuring Rate Limits

Nested Class Map Support for Zone-Based Policy Firewall

VSB Backup and Recovery

Configuring Layer 3 Virtualization

This chapter describes how to configure the Network Time Protocol (NTP) on Cisco NX-OS devices. This chapter includes the following sections:

Configuring Logging for Access Lists

Configuring EEE. Finding Feature Information. This chapter describes how to configure Energy Efficient Ethernet (EEE) on Cisco NX-OS devices.

Configuring Network QoS

Configuring sflow. About sflow. sflow Agent

Antonio Cianfrani. Access Control List (ACL) Part I

Configuring System Message Logging

Configuring Dynamic ARP Inspection

Configuring EtherChannels

Configuring Dynamic ARP Inspection

Configuring QoS on VLANs

Configuring Port Channels

Configuring NTP. Information About NTP. This chapter contains the following sections:

Configuring Firewall Filters (J-Web Procedure)

Configuring User Accounts and RBAC

Configuring IP Tunnels

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

VLAN Access Control Lists

Configuring NTP. Information About NTP. Information About the NTP Server. This chapter contains the following sections:

IP Access List Entry Sequence Numbering

VLAN Access Control Lists

QoS Packet-Matching Statistics Configuration

Configuring NTP. Information About NTP. Information About the NTP Server. This chapter contains the following sections:

Configuring Control Plane Policing

Configuring NetFlow. Information About NetFlow. What is a Flow. This chapter contains the following sections:

Class-based Quality-of-Service MIB

Committed Access Rate

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Configuring Private VLANs Using NX-OS

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

Configuring User Accounts and RBAC

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

InterAS Option B. Information About InterAS. InterAS and ASBR

Layer 2 Access Control Lists on EVCs

Configuring SPAN and RSPAN

Configuring Layer 3 Interfaces

Configuring Port Channels

CCNA Course Access Control Lists

Cisco 1000 Series Connected Grid Routers QoS Software Configuration Guide

Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers

Access Control List Enhancements on the Cisco Series Router

Access Control List Overview

Port ACLs (PACLs) Prerequisites for PACls CHAPTER

Firewall Stateful Inspection of ICMP

Understanding Access Control Lists (ACLs) Semester 2 v3.1

Configuring Rate Limits

Information about Network Security with ACLs

Configuring ECMP for Host Routes

Transcription:

10 CHAPTER This chapter describes how to configure MAC access lists (ACLs) on NX-OS devices. This chapter includes the following sections: Information About MAC ACLs, page 10-1 Prerequisites for MAC ACLs, page 10-1 Prerequisites for MAC ACLs, page 10-1\ Configuring MAC ACLs, page 10-1 Verifying MAC ACL Configurations, page 10-7 Displaying and Clearing MAC ACL Statistics, page 10-8 Example Configuration for MAC ACLs, page 10-8 Default Settings, page 10-9 Additional References, page 10-9 Feature History for MAC ACL, page 10-9 Information About MAC ACLs MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet. Prerequisites for MAC ACLs MAC ACLs have the following prerequisites: You are familiar with MAC addressing and non-ip protocols to configure MAC ACLs. You are familiar with the concepts in the Information About ACLs section on page 9-1. Configuring MAC ACLs This section includes the following topics: Creating a MAC ACL, page 10-2 Changing a MAC ACL, page 10-3 10-1

Configuring MAC ACLs Chapter 10 Removing a MAC ACL, page 10-4 Changing Sequence Numbers in a MAC ACL, page 10-5 Applying a MAC ACL as a Port ACL, page 10-6 Creating a MAC ACL Use this procedure to create a MAC ACL and add rules to it. BEFORE YOU BEGIN Before beginning this procedure, you must know or do the following: You are logged in to the CLI in EXEC mode. SUMMARY STEPS 1. config t 2. mac access-list name 3. {permit deny} source destination protocol 4. statistics per-entry 5. show mac access-lists name 6. copy running-config startup-config DETAILED STEPS Step 1 Step 2 config t n1000v# config t mac access-list name mac access-list acl-mac-01 n1000v(config-mac-acl)# Places you into CLI Global Configuration mode. Creates the MAC ACL and enters ACL configuration mode. 10-2

Chapter 10 Configuring MAC ACLs Step 3 Step 4 Step 5 Step 6 {permit deny} source destination protocol n1000v(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any statistics per-entry n1000v(config-mac-acl)# statistics per-entry show mac access-lists name n1000v(config-mac-acl)# show mac access-lists acl-mac-01 copy running-config startup-config n1000v(config-mac-acl)# copy running-config startup-config Creates a rule in the MAC ACL. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 1000V Reference, Release 4.0(4)SV1(2). (Optional) Specifies that the device maintains global statistics for packets that match the rules in the ACL. (Optional) Displays the MAC ACL configuration. (Optional) Copies the running configuration to the startup configuration. Changing a MAC ACL BEFORE YOU BEGIN SUMMARY STEPS Use this procedure to change an existing MAC ACL such as adding and removing rules. Before beginning this procedure, you must know or do the following: You are logged in to the CLI in EXEC mode. In an existing MAC ACL, you cannot change existing rules. In an existing MAC ACL, you can add and remove rules. Use the resequence command to reassign sequence numbers, such as when adding rules between existing sequence numbers. 1. config t 2. mac access-list name 3. [sequence-number] {permit deny} source destination protocol 4. no {sequence-number {permit deny} source destination protocol} 5. [no] statistics per-entry 6. show mac access-lists name 7. copy running-config startup-config 10-3

Configuring MAC ACLs Chapter 10 DETAILED STEPS Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 config t n1000v# config t mac access-list name mac access-list acl-mac-01 n1000v(config-mac-acl)# [sequence-number] {permit deny} source destination protocol n1000v(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any no {sequence-number {permit deny} source destination protocol} n1000v(config-mac-acl)# no 80 [no] statistics per-entry n1000v(config-mac-acl)# statistics per-entry show mac access-lists name n1000v(config-mac-acl)# show mac access-lists acl-mac-01 copy running-config startup-config n1000v(config-mac-acl)# copy running-config startup-config Places you into CLI Global Configuration mode. Places you in ACL configuration mode for the ACL that you specify by name. (Optional) Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 1000V Reference, Release 4.0(4)SV1(2). (Optional) Removes the rule that you specify from the MAC ACL. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 1000V Reference, Release 4.0(4)SV1(2). (Optional) Specifies that the device maintains global statistics for packets that match the rules in the ACL. The no option stops the device from maintaining global statistics for the ACL. (Optional) Displays the MAC ACL configuration. (Optional) Copies the running configuration to the startup configuration. Removing a MAC ACL Use this procedure to remove a MAC ACL. 10-4

Chapter 10 Configuring MAC ACLs BEFORE YOU BEGIN SUMMARY STEPS DETAILED STEPS Before beginning this procedure, you must know or do the following: You are logged in to the CLI in EXEC mode. Make sure that you know whether the ACL is applied to an interface. You can remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, removed ACLs are considered empty. To find the interfaces that a MAC ACL is configured on, use the show mac access-lists command with the summary keyword. 1. config t 2. no mac access-list name 3. show mac access-lists name summary 4. copy running-config startup-config Step 1 Step 2 Step 3 Step 4 config t n1000v# config t no mac access-list name no mac access-list acl-mac-01 show mac access-lists name summary show mac access-lists acl-mac-01 summary copy running-config startup-config copy running-config startup-config Places you into CLI Global Configuration mode. Removes the specified MAC ACL from the running configuration. (Optional) Displays the MAC ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces. (Optional) Copies the running configuration to the startup configuration. Changing Sequence Numbers in a MAC ACL Use this procedure to change sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. For more information, see the Changing Sequence Numbers in a MAC ACL section on page 10-5. 10-5

Configuring MAC ACLs Chapter 10 BEFORE YOU BEGIN Before beginning this procedure, you must know or do the following: You are logged in to the CLI in EXEC mode. SUMMARY STEPS 1. config t 2. resequence mac access-list name starting-sequence-number increment 3. show mac access-lists name 4. copy running-config startup-config DETAILED STEPS Step 1 Step 2 Step 3 Step 4 config t n1000v# config t resequence mac access-list name starting-sequence-number increment resequence mac access-list acl-mac-01 100 10 show mac access-lists name show mac access-lists acl-mac-01 copy running-config startup-config copy running-config startup-config Places you into CLI Global Configuration mode. Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify. (Optional) Displays the MAC ACL configuration. (Optional) Copies the running configuration to the startup configuration. Applying a MAC ACL as a Port ACL BEFORE YOU BEGIN Use this procedure to apply a MAC ACL as a port ACL. Before beginning this procedure, you must know or do the following: You are logged in to the CLI in EXEC mode. Make sure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application. For more information about configuring MAC ACLs, see the Configuring MAC ACLs section on page 10-1. 10-6

Chapter 10 Verifying MAC ACL Configurations SUMMARY STEPS DETAILED STEPS A MAC ACL can also be applied to a port using a port profile. For more information, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(2). 1. config t 2. interface vethernet port 3. mac port access-group access-list [in out] 4. show running-config aclmgr 5. copy running-config startup-config Step 1 Step 2 Step 3 Step 4 Step 5 config t n1000v# config t interface vethernet port interface vethernet 35 n1000v(config-if)# mac port access-group access-list [in out] n1000v(config-if)# mac port access-group acl-01 in show running-config aclmgr n1000v(config-if)# show running-config aclmgr copy running-config startup-config n1000v(config-if)# copy running-config startup-config Places you into CLI Global Configuration mode. Places you into Interface Configuration mode for the specified interface. Applies a MAC ACL to the interface. (Optional) Displays ACL configuration. (Optional) Copies the running configuration to the startup configuration. Verifying MAC ACL Configurations To display MAC ACL configuration information, use one of the following commands: show mac access-lists Displays the MAC ACL configuration 10-7

Displaying and Clearing MAC ACL Statistics Chapter 10 show running-config aclmgr show running-config interface Displays the ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to. Displays the configuration of the interface to which you applied the ACL For detailed information about the fields in the output from these commands, see the Cisco NX-OS Security Reference. Displaying and Clearing MAC ACL Statistics Use the following commands to display or clear statistics about a MAC ACL, including the number of packets that have matched each rule. show mac access-lists clear mac access-list counters Displays the MAC ACL configuration. If the MAC ACL includes the statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule. Clears statistics for all MAC ACLs or for a specific MAC ACL. For detailed information about these commands, see the Cisco Nexus 1000V Reference, Release 4.0(4)SV1(2). Example Configuration for MAC ACLs The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example: mac access-list acl-mac-01 permit 00c0.4f00.0000 0000.00ff.ffff any interface vethernet 35 mac port access-group acl-mac-01 in 10-8

Chapter 10 Default Settings Default Settings Table 10-1 lists the default settings for MAC ACL parameters. Table 10-1 Default MAC ACLs Parameters Parameters MAC ACLs ACL rules Default No MAC ACLs exist by default Implicit rules apply to all ACLs (see the Implicit Rules section on page 9-3) Additional References For additional information related to implementing MAC ACLs, see the following sections: Related Documents, page 10-9 Standards, page 10-9 Related Documents Related Topic Document Title Concepts about ACLs Information About ACLs, page 9-1 Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title Feature History for MAC ACL This section provides the MAC ACL release history. Feature Name Releases Feature Information MAC ACL 4.0 This feature was introduced. 10-9

Feature History for MAC ACL Chapter 10 10-10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback