Using and Configuring MAC ACLs
Using MAC ACLs to Deny Network Traffic
You can create ACLs based on MAC addresses to deny network traffic from a specific source. MAC addresses are Layer 2 protocols and most often assigned by the hardware manufacturer.
The Figure 14-2 below shows an example of a MAC address and Ethernet type that you want to block from the network.
Figure 14-2 - MAC ACL Blocking Access
Configuring a MAC ACL to Deny Network Traffic
To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:
CLI (network-admin@Leaf1) > acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4
scope fabric
To review the configuration, use the acl-mac-show command:
CLI (network-admin@Leaf1) >acl-mac-show name deny-mac layout vertical
name: deny-mac
id: b000015:12
action: deny
src-mac: 01:80:c2:00:00:0X
dst-mac: 00:00:00:00:00:00
dst-mac-mask: aa:aa:aa:aa:aa:aa
ether-type: ipv4
vlan: 0
scope: fabric
port: 0
Using MAC ACLs to Allow Network Traffic
So now that you’ve blocked the MAC address, let’s reverse the scenario and allow IPv4 network traffic from the MAC address to the network.
Figure 14-3 - MAC ACL Allowing Access
See Configuring a MAC ACL to Allow Network Traffic to review the example configuration.
Configuring a MAC ACL to Allow Network Traffic
To allow IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, allow-MAC, using the following syntax:
CLI (network-admin@Leaf1) > acl-mac-create name allow-mac action permit src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric
To review the configuration, use the acl-mac-show command:
CLI (network-admin@Leaf1) > acl-mac-show name deny-mac layout vertical
name: deny-mac
id: b000015:12
action: deny
src-mac: 01:80:c2:00:00:0X
dst-mac: 00:00:00:00:00:00
dst-mac-mask: aa:aa:aa:aa:aa:aa
ether-type: ipv4
vlan: 0
scope: fabric
port: 0
To delete the ACL configuration, use the acl-mac-delete command.
To modify the ACL configuration, use the acl-mac-modify command.
Configuring a MAC ACL to Deny Network Traffic
To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:
CLI (network-admin@Leaf1) > acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric
To review the configuration, use the acl-mac-show command:
CLI (network-admin@Leaf1) > acl-mac-show name deny-mac layout vertical
name: deny-mac
id: b000015:12
action: deny
src-mac: 01:80:c2:00:00:0X
dst-mac: 00:00:00:00:00:00
dst-mac-mask: aa:aa:aa:aa:aa:aa
ether-type: ipv4
vlan: 0
scope: fabric
port: 0