MAC ACL configuration commands

Mac-access-list creation syntax

This is a new command that needs to be created to allow for the configuration of MAC-based access control lists.

Syntax

mac-access-list standard

Configure a standard MAC Access Control List.

NAME-STR

The standard MAC ACL name.

200-299

The standard MAC ACL number.
Standard MAC ACL Configuration

mac-access-list standard 200

Description: Configure the standard MAC ACL to filter the packets based on the source MAC address. The standard MAC ACL number ranges from 200 to 299.
(config)#mac accss-list standard 200
(config-std-macl)#

Syntax

mac-access-list extended

Configure an extended MAC Access Control List.

NAME-STR

The extended MAC ACL name.

300-399

The extended MAC ACL number.
Extended MAC ACL Configuration

mac-access-list extended 300

Configure the extended MAC ACL to filter the packets based on the source MAC address, destination MAC address, ethertype, CoS priority, or VLAN number. The extended MAC ACL number ranges from 300 to 399.
(config)#mac accss-list extended 300
(config-ext-macl)#

Syntax

mac-access-list resequence

Renumber the sequence number of the rules in the MAC ACL specified.

<1-2147483647>

The sequence number assigned to the first rule of the specified MAC ACL.

<1-2147483646>

The increment value that renumbers the subsequent rules in the specified MAC ACL.
Resequencing MAC ACL

mac-access-list resequence 200 1 10

Description: Renumber the sequence number of the rules in the MAC ACL specified. The first rule receives the sequence number specified in the start-seq-num and the subsequent rule numbers increment per the increment value.
(config)# mac-access-list resequence 300 1 10

NOTE:

Similar Command

ip access-list

Mac-access-list standard configuration context

This command is used to configure MAC ACL with a simplified configuration. A simplified configuration provides a way to easily configure MAC ACLs that only require matching on a source MAC address.

Syntax

[no]SEQ-NUM permit|deny any|host SRC-MAC|SRC-MAC-MASKlog

permit

Packets matching the specified Ethernet header information.

deny

Packets matching the specified Ethernet header information.

any

Match the packets with any source MAC address.

host

Match the packets with the specified source MAC address.

SRC-MAC

Match the packets belonging to the specified source MAC address range.

SRC-MAC-MASK

The MAC address group mask.

log

Log a debug message when the MAC ACL rule is hit.

NOTE:

Similar Command

(config)#ip access-list standard 1

Configure standard MAC ACL

(config)# mac-access-list standard 200
(config-std-macl)# permit AABB.CCDD.EEFF 0000.0000.FFFF  
(config-std-macl)# deny host AABB.CCDD.EEFF log

Syntax

[no]SEQ-NUM remark

Add a comment for the MAC ACL rule specified. The maximum comment length is 100 characters.

Mac-access-list extended configuration context

Syntax

[no]SEQ-NUM permit|deny any|host SRC-MAC|SRC-MAC SRC-MAC-MASKany|host DST-MAC|DST-MAC DST-MAC-MASK any|ETHERTYPEcos COS log

Used to configure an extended MAC ACL. The extended capabilities allow for matching on source MAC address, destination Mac address, EtherType, CoS, and VLAN. The VLAN value is only applicable when the MAC ACL is applied to a port or trunk interface.

permit

Packets matching the specified Ethernet Header information.

deny

Packets matching the specified Ethernet Header information.

any

Match packets with any source/destination MAC address.

host

Match packets with the specified source/destination MAC address.

SRC-MAC

Match packets belonging to the specified source/destination MAC address range.

SRC-MAC-MASK

The source MAC address group mask.

DST-MAC-MASK

The destination MAC address group mask.

<0x600-0xFFFF>

Match a specific EtherType protocol.

aarp

AppleTalk Address Resolution Protocol (AARP)

appletalk

AppleTalk/EtherTalk

arp

Address Resolution Protocol (ARP)

fcoe

Fibre Channel over Ethernet

fcoe-init

Fibre Channel over Ethernet Initialization

lldp

Link Layer Discovery Protocol

ip

Internet Protocol Version 4

ipv6

Internet Protocol Version 6

ipx-arpa

IPX Advanced Research Projects Agency (ARPA)

ipx-non-arpa

IPX non-ARPA

is-is

Intermediate System to Intermediate System

mpls-unicast

MPLS Unicast

mpls-multicast

MPLS Multicast

q-in-q

IEEE 802.1ad encapsulation

rbridge

RBridge Channel Protocol

trill

IETF TRILL protocol

wake-on-lan

Wake on LAN

log

Log a debug message when the MAC ACL rule is hit.

cos

Match packets with a specified 802.1Q Priority Code Point value.

vlan

Match packets with the specified VLAN value.

VLAN-ID

Match packets with the specified VLAN value.

<0-7>

Match packets with a specified 802.1Q Priority Code Point value.

NOTE:

Similar Command

(config)#ip access-list extended 100

Remark command

The remark command allows for the insertion of a string at the specified sequence number. The remark will consume the sequence number where it is specified and will remain in proper order if the list is resequenced. The remark ability provides a way of tracking notes inside the given ACL but they do not affect the behavior of the ACL.

Syntax

[no]SEQ-NUM remark

Add a comment for the MAC ACL or MAC ACL rule specified. The maximum comment length is 100 characters.

Mac-access-list application syntax (PACL)

This command is used to apply a MAC ACL to an interface.

Syntax

mac-access-group ACL-ID in

Apply a MAC ACL to traffic on a port. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.

ASCII-STR

The MAC ACL name.

in

Apply MAC ACL on the inbound packets.

NOTE:

Similar command

ip access-group name in

mac-access-group name in

Mac-access-list application syntax (VACL)

This command is used to apply a MAC ACL to a VLAN .

Syntax

mac-access-group ACL-ID in

Apply a MAC ACL to traffic on a VLAN. A standard or extended MAC ACL filters packets based on the source MAC address, destination MAC address, ethertype, CoS, or VLAN.

ASCII-STR

The MAC ACL name.

in

Apply MAC ACL on the inbound packets.
NOTE:

Similar command

ip access-group name in
Applying a MAC ACL to VLAN 1
(config)#vlan 1
(vlan-1)# mac-access-group name in

Show access-list

Syntax

show access-list ACL-NAME-STRconfig|config|ports|radius|resources|tunnelTUNNEL-ID|vlan VLAN-ID

Show access control list information. If no parameters are specified, a table of ACL information is displayed.

ACL-NAME-STR

Display detailed information about the specified ACL.

config

Show all configured ACLs on the switch using the CLI syntax used to create them.

ports

Show ACLs applied to the specified ports.

radius

Display ACLs applied via RADIUS.

resources

Display ACL resource usage and availability.

tunnel

Show ACLs applied to the specified tunnel.

vlan

Show ACLs applied to the specified VLAN.

Show access-list by name

This command is used to display the details about a specific ACL.

Syntax

show access-list ACL-ID config

Show access-list 300

HP-E5406zl(config)# show access-list 300
Access Control Lists
Name: 300
Type: MAC Extended
Applied: No
SEQ: Entry
---------------------------------------------
10 Action : permit
Src MAC: 1111.2222.3333  Mask: ffff.ffff.0000
Dst MAC: 4444.5555.6666  Mask: ffff.ffff.0000
Ethertype: aarp  CoS: 7  VLAN ID: 1

Show access-list 200

HP-E5406zl(config)# show access-list 200
Access Control Lists
Name: 200
Type: MAC Standard
Applied: No
SEQ:  Entry
------------------------------------------------------
10 Action:  permit 
Src MAC:    1111.2222.3333 Mask: ffff.ffff.0000
Ethertype : any

Show access-list 100

HP-E5406zl(config)# show access-list 100
Name: 100
Type: IPv4 Extended
Applied: No
SEQ:  Entry
---------------------------------------------------
10 Action:  deny
   Src IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Dst IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Proto :     TCP
   TOS   :     Precedence:
20 Action:  deny
   Src IP:     0.0.0.0           Mask: 255.255.255.255   Port(s):
   Dst IP:     0.0.0.0           Mask: 255.255.255.255   Port(s): 
   Proto :     UDP
   TOS   :     Precedence: -

Show access-list v6ACL

HP-E5406zl(config)# show access-list v6ACL
Name: 100
Type: IPv6
Applied: No
SEQ  Entry
----------------------------------------
10  Action:       deny
    Src IP:       Prefix Len: 0
    Dst IP:       Prefix Len: 0
    Src Port(s):  Dst Port(s):
    Proto :       TCP  Option(s):
    Dscp :

Show access-list config

Syntax

show access-list ACL-ID config

Used to display a specific ACL as it would be shown in configuration.
mac-access-list
(config)# mac-access-list 300 config
10 permit 1111.2222.3333 ffff.ffff.0000 4444.5555.6666 ffff.ffff.0000 aarp
exit

(config)# mac-access-list 200 config
10 permit 1111.2222.3333 4444.5555.6666 
exit

Show access-list port

Syntax

show access-list port port-list

Used to display the current ACLs that are applied to a specified port.

Show access-list

(config)# show access-list port f1
Access Lists for Port F1
IPv4 Inbound : 100   Type: Extended
MAC  Inbound : 300   Type: Extended

Show access-list vlan

Syntax

show access-list vlan vlan-id|all

Used to display the current ACLs that are applied to a specified VLAN.

VLAN-ID

Show ACLs applied to the specified VLAN.

all

Show ACLs applied to all VLANs.
Show access-list
(config)# show access-list vlan 1
Access Lists for VLAN 1
IPv4 Router Inbound            : (None)
IPv4 VLAN Inbound              : (None)
IPv4 Connection Rate Filter    : (None)
IPv6 Router Inbound            : (None)
IPv6 VLAN Inbound              : (None)
MAC  VLAN Inbound              : 300    Type: Extended

Show access-list resources

Syntax

show access-list resource

Used to display current resource usage and availability in the policy enforcement engine.
Show access-list resource
(config)# show access-list resource

Resource usage in Policy Enforcement Engine

      |  Rules      | Rules Used
Slots |  Available  | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+---+--------+-----+-------|
 A    |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
 B    |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
 E    |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |
 F    |         227 |   9       |   0 |   0 |  0 |      0 |2816 |    3 |

      |    Meters   |Meters Used
Slots |  Available  | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+----+--------+-----+------|
 A    |         255 |           |   0 |   0 |    |        |     |     0|
 B    |         255 |           |   0 |   0 |    |        |     |     0|
 E    |         255 |           |   0 |   0 |    |        |     |     0|
 F    |         255 |           |   0 |   0 |    |        |     |     0|

      | Application |
      | Port Ranges | Application Port Ranges Used
Slots | Available   | ACL       | QoS | IDM | VT | Mirror | PBR | Other|
------+-------------+-----------+-----+-----+----+--------+-----+------|
A     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
B     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
E     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
F     |          14 |         0 |   0 |   0 |    |      0 |   0 |     0|
The hardware (TCAM) resources used by the ACLs configured on the switch is 4 of 8 Policy Engine management resources.

Key

ACL Access Control Lists

QoS Quality of Service

IDM Identity Driven Management

VT Virus Throttling

Mirror Mirror Policies, Remote Intelligent Mirror endpoints

PBR Policy Based Routing

Other Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode.

Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.

Key
ACL	Access Control Lists
QoS	Quality of Service
IDM	Identity Driven Management
VT	Virus Throttling
Mirror	Mirror Policies, Remote Intelligent Mirror endpoints
PBR	Policy Based Routing
Other	Management VLAN, DHCP Snooping, ARP Protection, Jumbo IP-MTU, Transparent Mode.

Show statistics

The show statistics command will need to be updated to take a MAC parameter.

Syntax

show statistics mac ACL-NAME-STR port PORT-NUM

Used to display hit counts for a given MAC ACL.

mac

Display the statistics of MAC ACL.

ACL-NAME-STR

The MAC ACL name.

port

Show statistics for the specified port.

[ethernet] PORT-NUM

The port on which the MAC ACL is applied.

Syntax
show statistics mac ACL-NAME-STR vlan VLAN-ID in|out|vlan

vlan

Show statistics for the specified VLAN.

VLAN-ID

The VLAN ID or VLAN name.

in

Show statistics for MAC ACLs that are applied inbound.

out

Show statistics for MAC ACLs that are applied outbound.
show statistics mac
show statistics mac 300 port 1 in

show statistics mac 300 vlan 10 in

show statistics mac 300 vlan 10 vlan
show statistics mac superMac vlan 10 in
show statistics mac superMac vlan 10 in 

HitCounts for ACL superMac 
Total 
(       540 )    10 permit any 1111.2222.3333 4444.5555.6666

clear statistics

The clear statistics command will need to be updated to take a MAC parameter.

Syntax

clear statistics mac ACL-NAME-STR port PORT-NUM

Clear all the counters for the ACLs that match the criteria specified.

mac

Clear the statistics for MAC ACL.

ACL-NAME-STR

The MAC ACL name or the MAC ACL number.

port

Clear statistics for the specified port.

[ethernet] PORT-NUM

The port from which the MAC ACL statistics is cleared.

Syntax

clear statistics mac ACL-NAME-STR port PORT-NUM|VLAN VLAN-IDin|out|vlan

VLAN

Clear statistics for the specified VLAN.

VLAN-ID

The VLAN ID or VLAN name.

in

Clear statistics for inbound packets on the VLAN.

out

Clear statistics for outbound packets on the VLAN.

Clear statistics mac superMac

clear statistics mac superMac vlan 10 in

prev	up	next
MAC ACLs	home	Event Log messages

NAME-STR	The standard MAC ACL name.
200-299	The standard MAC ACL number.

NAME-STR	The extended MAC ACL name.
300-399	The extended MAC ACL number.

<1-2147483647>	The sequence number assigned to the first rule of the specified MAC ACL.
<1-2147483646>	The increment value that renumbers the subsequent rules in the specified MAC ACL.

permit	Packets matching the specified Ethernet header information.
deny	Packets matching the specified Ethernet header information.
any	Match the packets with any source MAC address.
host	Match the packets with the specified source MAC address.
SRC-MAC	Match the packets belonging to the specified source MAC address range.
SRC-MAC-MASK	The MAC address group mask.
log	Log a debug message when the MAC ACL rule is hit.

any	Match packets with any source/destination MAC address.
host	Match packets with the specified source/destination MAC address.
SRC-MAC	Match packets belonging to the specified source/destination MAC address range.
SRC-MAC-MASK	The source MAC address group mask.
DST-MAC-MASK	The destination MAC address group mask.
<0x600-0xFFFF>	Match a specific EtherType protocol.
aarp	AppleTalk Address Resolution Protocol (AARP)
appletalk	AppleTalk/EtherTalk
arp	Address Resolution Protocol (ARP)
fcoe	Fibre Channel over Ethernet
fcoe-init	Fibre Channel over Ethernet Initialization
lldp	Link Layer Discovery Protocol
ip	Internet Protocol Version 4
ipv6	Internet Protocol Version 6
ipx-arpa	IPX Advanced Research Projects Agency (ARPA)
ipx-non-arpa	IPX non-ARPA
is-is	Intermediate System to Intermediate System
mpls-unicast	MPLS Unicast
mpls-multicast	MPLS Multicast
q-in-q	IEEE 802.1ad encapsulation
rbridge	RBridge Channel Protocol
trill	IETF TRILL protocol
wake-on-lan	Wake on LAN
log	Log a debug message when the MAC ACL rule is hit.
cos	Match packets with a specified 802.1Q Priority Code Point value.
vlan	Match packets with the specified VLAN value.
VLAN-ID	Match packets with the specified VLAN value.
<0-7>	Match packets with a specified 802.1Q Priority Code Point value.

ASCII-STR	The MAC ACL name.
in	Apply MAC ACL on the inbound packets.

ACL-NAME-STR	Display detailed information about the specified ACL.
config	Show all configured ACLs on the switch using the CLI syntax used to create them.
ports	Show ACLs applied to the specified ports.
radius	Display ACLs applied via RADIUS.
resources	Display ACL resource usage and availability.
tunnel	Show ACLs applied to the specified tunnel.
vlan	Show ACLs applied to the specified VLAN.

VLAN-ID	Show ACLs applied to the specified VLAN.
all	Show ACLs applied to all VLANs.

mac	Display the statistics of MAC ACL.
ACL-NAME-STR	The MAC ACL name.
port	Show statistics for the specified port.
[ethernet] PORT-NUM	The port on which the MAC ACL is applied.

vlan	Show statistics for the specified VLAN.
VLAN-ID	The VLAN ID or VLAN name.
in	Show statistics for MAC ACLs that are applied inbound.
out	Show statistics for MAC ACLs that are applied outbound.

mac	Clear the statistics for MAC ACL.
ACL-NAME-STR	The MAC ACL name or the MAC ACL number.
port	Clear statistics for the specified port.
[ethernet] PORT-NUM	The port from which the MAC ACL statistics is cleared.

VLAN	Clear statistics for the specified VLAN.
VLAN-ID	The VLAN ID or VLAN name.
in	Clear statistics for inbound packets on the VLAN.
out	Clear statistics for outbound packets on the VLAN.