Using and Configuring MAC ACLs

---

Using MAC ACLs to Deny Network Traffic

 

You can create ACLs based on MAC addresses to deny network traffic from a specific source. MAC addresses are Layer 2 protocols and most often assigned by the hardware manufacturer.

The Figure 12-2 below shows an example of a MAC address and Ethernet type that you want to block from the network.

 

Figure 12-2 - MAC ACL Blocking Access

 

Configuring a MAC ACL to Deny Network Traffic

 

To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:

 

CLI (network-admin@Leaf1) > acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4

 scope fabric

 

To review the configuration, use the acl-mac-show command:

 

CLI (network-admin@Leaf1) >acl-mac-show name deny-mac layout vertical

 

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

Using MAC ACLs to Allow Network Traffic

 

So now that you’ve blocked the MAC address, let’s reverse the scenario and allow IPv4 network traffic from the MAC address to the network.

 

 

Figure 12-3 - MAC ACL Allowing Access 

 

See Configuring a MAC ACL to Allow Network Traffic to review the example configuration.

 

Configuring a MAC ACL to Allow Network Traffic

 

To allow IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, allow-MAC, using the following syntax:

 

CLI (network-admin@Leaf1) >  acl-mac-create name allow-mac action permit src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric

 

To review the configuration, use the acl-mac-show command:

 

CLI (network-admin@Leaf1) >  acl-mac-show name deny-mac layout vertical

 

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

To delete the ACL configuration, use the acl-mac-delete command.

To modify the ACL configuration, use the acl-mac-modify command.

 

Configuring a MAC ACL to Deny Network Traffic

 

To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:

 

CLI (network-admin@Leaf1) >  acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric

 

To review the configuration, use the acl-mac-show command:

 

CLI (network-admin@Leaf1) >  acl-mac-show name deny-mac layout vertical

 

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0