Configuring MAC ACLs



Similar documents
Configuring DHCP Snooping

Configuring ECMP for Host Routes

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring Password Encryption

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring Password Encryption

Configuring Static and Dynamic NAT Translation

Send document comments to

Configuring NTP. Information About NTP. NTP Overview. Send document comments to CHAPTER

Configuring EtherChannels

Traffic Mirroring Commands on the Cisco ASR 9000 Series Router

Configuring Port Security

Configuring the Scheduler

Traffic Mirroring Commands on the Cisco IOS XR Software

Configuring Network Security with ACLs

Configuring NetFlow-lite

Configuring System Message Logging

Virtual PortChannel Quick Configuration Guide

Configuring Port Security

Configuring NetFlow Secure Event Logging (NSEL)

Troubleshooting IP Access Lists

Chapter 4 Rate Limiting

Configuring NetFlow Secure Event Logging (NSEL)

Geschreven door Administrator woensdag 13 februari :37 - Laatst aangepast woensdag 13 februari :05

Flow-Based per Port-Channel Load Balancing

Configuring Network Load Balancing for vethernet

Configuring DHCP Snooping and IP Source Guard

ANZA Formación en Tecnologías Avanzadas

Configuring LLDP, LLDP-MED, and Location Service

- EtherChannel - Port Aggregation

What is VLAN Routing?

Configuring Network QoS

Configuring iscsi Multipath

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

Configuring QoS and Per Port Per VLAN QoS

CCNA Access List Sim

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Configuring Local SPAN and ERSPAN

Security and Access Control Lists (ACLs)

Cisco Configuring Commonly Used IP ACLs

Monitoring Network Traffic Using SPAN

Enabling Remote Access to the ACE

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

SUBNETTING SCENARIO S

Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches

Configuring Role-Based Access Control

Configuring Network Load Balancing for vethernet

Chapter 3 Using Access Control Lists (ACLs)

Configuring SSH and Telnet

AutoQoS. Prerequisites for AutoQoS CHAPTER

How Are PowerConnect ACLs Different From Cisco ACLs?

Introduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1

Interconnecting Cisco Network Devices 1 Course, Class Outline

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 RSPAN CONFIGURATION CHAPTER 3 SFLOW CONFIGURATION...

Configuring Network Address Translation

Adding an Extended Access List

Configuring Auto-MDIX

Configuring Class Maps and Policy Maps

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Configuring Auto-QoS

- Multicast - Types of packets

Lab Introduction to the Modular QoS Command-Line Interface

ICND IOS CLI Study Guide (CCENT)

Configuring RADIUS Server Support for Switch Services

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Configuring Server Load Balancing

NetFlow Policy Routing

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Configuring the Transparent or Routed Firewall

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Configuring Traffic Storm Control

Cisco Data Centre: Introducing Cisco Data Center Networking

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 SFLOW CONFIGURATION CHAPTER 3 RSPAN CONFIGURATION...

Configuring PROFINET

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

Configuring System Message Logging

How To Configure Link Aggregation On Supermicro Switch 2 And 3 (Lan) On A Microsoft Vlan 2 And Vlan 3 (Vlan) (Lan 2) (Vlans) (Lummer) (Powerline) (

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CCT vs. CCENT Skill Set Comparison

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Command Reference, Release 4.2

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Troubleshooting the Firewall Services Module

AlliedWare Plus OS How To. Configure QoS to prioritize SSH, Multicast, and VoIP Traffic. Introduction

Configuring Quality of Service

Setting Policies Using RF Director

Lab Load Balancing Across Multiple Paths

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Configuring a Load-Balancing Scheme

Chapter 25 DHCP Snooping

Configuring QoS. Understanding QoS CHAPTER

Sample Configuration Using the ip nat outside source static

SolarWinds Technical Reference

- The PIX OS Command-Line Interface -

Configuring EtherChannels

Network Protocol Configuration

Chapter 2 Reading Organizer

Transcription:

Send document comments to nexus7k-docfeedback@cisco.com 12 CHAPTER This chapter describes how to configure MAC access lists (ACLs) on NX-OS devices. This chapter includes the following sections: Information About MAC ACLs, page 12-1 Licensing Requirements for MAC ACLs, page 12-1 Prerequisites for MAC ACLs, page 12-2 Guidelines and Limitations, page 12-2, page 12-2 Verifying MAC ACL Configurations, page 12-8 Displaying and Clearing MAC ACL Statistics, page 12-8 Example Configuration for MAC ACLs, page 12-9 Default Settings, page 12-9 Additional References, page 12-9 Feature History for MAC ACLs, page 12-10 Information About MAC ACLs MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet. MAC ACLs share many fundamental concepts with IP ACLs, including support for virtualization. For information about these shared concepts, see the Information About ACLs section on page 11-1. Licensing Requirements for MAC ACLs The following table shows the licensing requirements for this feature: Product NX-OS License Requirement MAC ACLs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.1 12-1

Prerequisites for MAC ACLs Chapter 12 Prerequisites for MAC ACLs You must be familiar with MAC addressing and non-ip protocols to configure MAC ACLs. You must be familiar with the concepts in the Information About ACLs section on page 11-1. Guidelines and Limitations MAC ACLs have the following configuration guidelines and limitations: MAC ACLs apply to ingress traffic only. ACL statistics are not supported if the DHCP snooping feature is enabled., page 12-3 Changing Sequence Numbers in a MAC ACL, page 12-5 Removing a MAC ACL, page 12-6 Applying a MAC ACL as a Port ACL, page 12-6 Applying a MAC ACL as a VACL, page 12-8 Creating a MAC ACL BEFORE YOU BEGIN SUMMARY STEPS You can create a MAC ACL and add rules to it. switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in. 1. configure terminal 2. mac access-list name 3. {permit deny} destination protocol 4. statistics per-entry 5. show mac access-lists 6. copy running-config startup-config

Chapter 12 DETAILED STEPS Step 1 configure terminal switch# configure terminal switch(config)# mac access-list name switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# {permit deny} source destination protocol switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any statistics per-entry switch(config-mac-acl)# statistics per-entry show mac access-lists name switch(config-mac-acl)# show mac access-lists acl-mac-01 copy running-config startup-config switch(config-mac-acl)# copy running-config startup-config Cisco Nexus 7000 Series NX-OS Security Reference, Release 4.1 Changing a MAC ACL BEFORE YOU BEGIN SUMMARY STEPS In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes. If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For more information, see the Changing Sequence Numbers in a MAC ACL section on page 12-5. Ensure that you are in the correct VDC (or use the switchto vdc command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in. 1. configure terminal 2. mac access-list 12-3

7. [sequence-number] { {sequence-number { [ ] name } source destination protocol } source destination protocol} DETAILED STEPS Step 1 Enters global configuration mode. Step 2 name Enters ACL configuration mode for the ACL that you specify by name. Step 3 [sequence-number] { } source destination protocol switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any Step 4 {sequence-number { } source destination protocol} Step 5 [ ] switch(config-mac-acl)# no 80 switch(config-mac-acl)# statistics per-entry Step 6 name (Optional) Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The and commands support many ways of identifying traffic. For more information, see the. (Optional) Removes the rule that you specify from the MAC ACL. The and commands support many ways of identifying traffic. For more information, see the. (Optional) Specifies that the device maintains global statistics for packets that match the rules in the ACL. The option stops the device from maintaining global statistics for the ACL. (Optional) Displays the MAC ACL configuration. Step 7 switch(config-mac-acl)# show mac access-lists acl-mac-01 switch(config-mac-acl)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. 12-4

Changing Sequence Numbers in a MAC ACL BEFORE YOU BEGIN SUMMARY STEPS DETAILED STEPS You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers. For more information, see the About Rules section on page 11-5. Ensure that you are in the correct VDC (or use the command). Because ACL names can be repeated in different VDCs, we recommend that you confirm which VDC you are working in. 1. 2. 3. 4. Step 1 Enters global configuration mode. Step 2 resequence mac access-list name starting-sequence-number increment switch(config)# resequence mac access-list acl-mac-01 100 10 show mac access-lists name switch(config)# show mac access-lists acl-mac-01 copy running-config startup-config switch(config)# copy running-config startup-config 12-5

Removing a MAC ACL BEFORE YOU BEGIN SUMMARY STEPS 1. 2. 3. 4. DETAILED STEPS Step 1 Step 2 configure terminal switch# configure terminal switch(config)# no mac access-list switch(config)# no mac access-list acl-mac-01 switch(config)# Step 3 show mac access-lists summary Step 4 switch(config)# show mac access-lists acl-mac-01 summary copy running-config startup-config switch(config)# copy running-config startup-config Applying a MAC ACL as a Port ACL 12-6

Chapter 12 BEFORE YOU BEGIN SUMMARY STEPS 1. 2. / channel-number 3. access-list 4. 5. DETAILED STEPS Step 1 configure terminal Enters global configuration mode. Step 2 interface ethernet / switch(config)# interface ethernet 2/1 switch(config-if)# interface port-channel channel-number switch(config)# interface port-channel 5 switch(config-if)# mac port access-group switch(config-if)# mac port access-group acl-01 show running-config aclmgr switch(config-if)# show running-config aclmgr copy running-config startup-config switch(config-if)# copy running-config startup-config Enters interface configuration mode for a Layer 2 or Layer 3 interface. Enters interface configuration mode for a port-channel interface. Applies a MAC ACL to the interface. (Optional) Displays ACL configuration. (Optional) Copies the running configuration to the startup configuration. 12-7

Verifying MAC ACL Configurations Applying a MAC ACL as a VACL You can apply a MAC ACL as a VACL. For information about how to create a VACL using a MAC ACL, see the Creating a VACL or Adding a VACL Entry section on page 13-4. Verifying MAC ACL Configurations To display MAC ACL configuration information, use one of the following commands: Displays the MAC ACL configuration Displays the ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to. Displays the configuration of the interface to which you applied the ACL For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Reference, Release 4.1. Displaying and Clearing MAC ACL Statistics Use the command to display statistics about a MAC ACL, including the number of packets that have matched each rule. To display or clear MAC ACL statistics, use one of the following commands: Displays the MAC ACL configuration. If the MAC ACL includes the command, the command output includes the number of packets that have matched each rule. Clears statistics for all MAC ACLs or for a specific MAC ACL. For detailed information about these commands, see the Cisco Nexus 7000 Series NX-OS Security Reference, Release 4.1. 12-8

Chapter 12 Example Configuration for MAC ACLs Example Configuration for MAC ACLs The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example: Default Settings Table 12-1 lists the default settings for MAC ACL parameters. Table 12-1 Default MAC ACLs Parameters Parameters MAC ACLs ACL rules Default No MAC ACLs exist by default Implicit rules apply to all ACLs (see the Implicit Rules section on page 11-6) Additional References For additional information related to implementing MAC ACLs, see the following sections: Related Documents, page 12-9 Standards, page 12-9 Related Documents Related Topic Document Title Concepts about ACLs Information About ACLs, page 11-1 MAC ACL commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Cisco Nexus 7000 Series NX-OS Security Reference, Release 4.1 Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title 12-9

Feature History for MAC ACLs Chapter 12 Feature History for MAC ACLs Table 12-2 lists the release history for this feature. Table 12-2 Feature History for MAC ACLs Feature Name Releases Feature Information MAC ACLs 4.1(2) No change from Release 4.0. 12-10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information