This is a new command that needs to be created to allow for the configuration of MAC-based access control lists.
Syntax
mac-access-list standard
Configure a standard MAC Access Control List.
NAME-STR
The standard MAC ACL name.
200-299
The standard MAC ACL number.
Syntax
mac-access-list extended
Configure an extended MAC Access Control List.
NAME-STR
The extended MAC ACL name.
300-399
The extended MAC ACL number.
Extended MAC ACL Configuration
mac-access-list extended
300
Configure the extended MAC ACL to filter the packets based on the source MAC address, destination MAC address, ethertype, CoS priority, or VLAN number. The extended MAC ACL number ranges from 300 to 399.
(config)#mac accss-list extended 300 (config-ext-macl)#
Syntax
mac-access-list resequence
Renumber the sequence number of the rules in the MAC ACL specified.
<1-2147483647>
The sequence number assigned to the first rule of the specified MAC ACL.
<1-2147483646>
The increment value that renumbers the subsequent rules in the specified MAC ACL.
Resequencing MAC ACL
mac-access-list resequence
200
1
10
Description: Renumber the sequence number of the rules in the MAC ACL specified. The first rule receives the sequence number specified in the start-seq-num and the subsequent rule numbers increment per the increment value.
(config)# mac-access-list resequence 300 1 10
This command is used to configure MAC ACL with a simplified configuration. A simplified configuration provides a way to easily configure MAC ACLs that only require matching on a source MAC address.
Syntax
[no]
SEQ-NUM
permit|deny
any|host
SRC-MAC|SRC-MAC-MASK
log
permit
Packets matching the specified Ethernet header information.
deny
Packets matching the specified Ethernet header information.
any
Match the packets with any source MAC address.
host
Match the packets with the specified source MAC address.
SRC-MAC
Match the packets belonging to the specified source MAC address range.
SRC-MAC-MASK
The MAC address group mask.
log
Log a debug message when the MAC ACL rule is hit.
Configure standard MAC ACL
(config)# mac-access-list standard 200 (config-std-macl)# permit AABB.CCDD.EEFF 0000.0000.FFFF (config-std-macl)# deny host AABB.CCDD.EEFF log
Syntax
Syntax
[no]
SEQ-NUM
permit|deny
any|host
SRC-MAC|SRC-MAC SRC-MAC-MASK
any|host
DST-MAC|DST-MAC DST-MAC-MASK
any|
logETHERTYPE
cosCOS
Used to configure an extended MAC ACL. The extended capabilities allow for matching on source MAC address, destination Mac address, EtherType, CoS, and VLAN. The VLAN value is only applicable when the MAC ACL is applied to a port or trunk interface.
permit
Packets matching the specified Ethernet Header information.
deny
Packets matching the specified Ethernet Header information.
any
Match packets with any source/destination MAC address.
host
Match packets with the specified source/destination MAC address.
SRC-MAC
Match packets belonging to the specified source/destination MAC address range.
SRC-MAC-MASK
The source MAC address group mask.
DST-MAC-MASK
The destination MAC address group mask.
<0x600-0xFFFF>
Match a specific EtherType protocol.
aarp
AppleTalk Address Resolution Protocol (AARP)
appletalk
AppleTalk/EtherTalk
arp
Address Resolution Protocol (ARP)
fcoe
Fibre Channel over Ethernet
fcoe-init
Fibre Channel over Ethernet Initialization
lldp
Link Layer Discovery Protocol
ip
Internet Protocol Version 4
ipv6
Internet Protocol Version 6
ipx-arpa
IPX Advanced Research Projects Agency (ARPA)
ipx-non-arpa
IPX non-ARPA
is-is
Intermediate System to Intermediate System
mpls-unicast
MPLS Unicast
mpls-multicast
MPLS Multicast
q-in-q
IEEE 802.1ad encapsulation
rbridge
RBridge Channel Protocol
trill
IETF TRILL protocol
wake-on-lan
Wake on LAN
log
Log a debug message when the MAC ACL rule is hit.
cos
Match packets with a specified 802.1Q Priority Code Point value.
vlan
Match packets with the specified VLAN value.
VLAN-ID
Match packets with the specified VLAN value.
<0-7>
Match packets with a specified 802.1Q Priority Code Point value.
The remark command allows for the insertion of a string at the specified sequence number. The remark will consume the sequence number where it is specified and will remain in proper order if the list is resequenced. The remark ability provides a way of tracking notes inside the given ACL but they do not affect the behavior of the ACL.
Syntax
This command is used to apply a MAC ACL to an interface.
Syntax
This command is used to apply a MAC ACL to a VLAN .
Syntax
Syntax
show access-list
ACL-NAME-STR
config|config|ports|radius|resources|tunnel
TUNNEL-ID
|vlan
VLAN-ID
Show access control list information. If
no
parameters are specified, a table of ACL information is displayed.
ACL-NAME-STR
Display detailed information about the specified ACL.
config
Show all configured ACLs on the switch using the CLI syntax used to create them.
ports
Show ACLs applied to the specified ports.
radius
Display ACLs applied via RADIUS.
resources
Display ACL resource usage and availability.
tunnel
Show ACLs applied to the specified tunnel.
vlan
Show ACLs applied to the specified VLAN.
This command is used to display the details about a specific ACL.
Syntax
Show access-list 300
HP-E5406zl(config)# show access-list 300 Access Control Lists Name: 300 Type: MAC Extended Applied: No SEQ: Entry --------------------------------------------- 10 Action : permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Dst MAC: 4444.5555.6666 Mask: ffff.ffff.0000 Ethertype: aarp CoS: 7 VLAN ID: 1
Show access-list 200
HP-E5406zl(config)# show access-list 200 Access Control Lists Name: 200 Type: MAC Standard Applied: No SEQ: Entry ------------------------------------------------------ 10 Action: permit Src MAC: 1111.2222.3333 Mask: ffff.ffff.0000 Ethertype : any
Show access-list 100
HP-E5406zl(config)# show access-list 100 Name: 100 Type: IPv4 Extended Applied: No SEQ: Entry --------------------------------------------------- 10 Action: deny Src IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Dst IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Proto : TCP TOS : Precedence: 20 Action: deny Src IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Dst IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): Proto : UDP TOS : Precedence: -
Syntax
Syntax
Syntax
Syntax
show access-list resource
Used to display current resource usage and availability in the policy enforcement engine.
Show access-list resource
(config)# show access-list resource Resource usage in Policy Enforcement Engine | Rules | Rules Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+---+--------+-----+-------| A | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | B | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | E | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | F | 227 | 9 | 0 | 0 | 0 | 0 |2816 | 3 | | Meters |Meters Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+----+--------+-----+------| A | 255 | | 0 | 0 | | | | 0| B | 255 | | 0 | 0 | | | | 0| E | 255 | | 0 | 0 | | | | 0| F | 255 | | 0 | 0 | | | | 0| | Application | | Port Ranges | Application Port Ranges Used Slots | Available | ACL | QoS | IDM | VT | Mirror | PBR | Other| ------+-------------+-----------+-----+-----+----+--------+-----+------| A | 14 | 0 | 0 | 0 | | 0 | 0 | 0| B | 14 | 0 | 0 | 0 | | 0 | 0 | 0| E | 14 | 0 | 0 | 0 | | 0 | 0 | 0| F | 14 | 0 | 0 | 0 | | 0 | 0 | 0|The hardware (TCAM) resources used by the ACLs configured on the switch is 4 of 8 Policy Engine management resources.
Key ACL Access Control Lists QoS Quality of Service IDM Identity Driven Management VT Virus Throttling Mirror Mirror Policies, Remote Intelligent Mirror endpoints PBR Policy Based Routing Other Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode. Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.
The show statistics command will need to be updated to take a MAC parameter.
Syntax
show statistics mac
ACL-NAME-STR
portPORT-NUM
Used to display hit counts for a given MAC ACL.
mac
Display the statistics of MAC ACL.
ACL-NAME-STR
The MAC ACL name.
port
Show statistics for the specified port.
[ethernet] PORT-NUM
The port on which the MAC ACL is applied.
Syntax
The clear statistics command will need to be updated to take a MAC parameter.
Syntax
clear statistics mac
ACL-NAME-STR
port
PORT-NUM
Clear all the counters for the ACLs that match the criteria specified.
mac
Clear the statistics for MAC ACL.
ACL-NAME-STR
The MAC ACL name or the MAC ACL number.
port
Clear statistics for the specified port.
[ethernet] PORT-NUM
The port from which the MAC ACL statistics is cleared.
Syntax