Configuring MAC-based ACLs


You can configure MAC-based ACL entries to permit or deny network traffic based on a number of parameters:


  • Source MAC address
  • Source MAC address mask
  • Destination MAC address
  • Destination MAC address mask
  • EtherType value
  • Name of the vNET
  • Bridge domain name
  • VLAN number
  • Switch port number


These capabilities enable various common use cases as exemplified in the following sections.


Configuring a MAC-based ACL to Deny Network Traffic

 

Figure 12-2 below shows the example of a server MAC address and Ethertype (IPv4) that you want to block when the traffic is ingressing a switch:


 


Figure 15-3 - MAC ACL Blocking Access

  

To deny IPv4 network traffic from MAC address, 01:80:c2:00:00:0X, for the scope fabric, create the MAC ACL, deny-MAC, using the following syntax:

 

CLI (network-admin@switch) > acl-mac-create name deny-mac action deny src-mac 01:80:c2:00:00:0X ether-type ipv4

 scope fabric

 

To review the configuration, use the acl-mac-show command:

 

CLI (network-admin@switch) >acl-mac-show name deny-mac layout vertical

 

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

Configuring a MAC-based ACL to Permit Network Traffic


In addition to the deny action, it is also possible to permit network traffic by using Layer 2 parameters, as shown in the example below:

 


Figure 15-4 - MAC ACL Allowing Access 

 

To permit IPv4 network traffic from MAC address 01:80:c2:00:00:0X, create a MAC-based ACL using the following syntax:

 

CLI (network-admin@switch) >  acl-mac-create name allow-mac action permit src-mac 01:80:c2:00:00:0X ether-type ipv4 scope fabric

 

To review the configuration, use the acl-mac-show command:

 

CLI (network-admin@switch) >  acl-mac-show name deny-mac layout vertical

 

name:                        deny-mac

id:                          b000015:12

action:                      deny

src-mac:                     01:80:c2:00:00:0X

dst-mac:                     00:00:00:00:00:00

dst-mac-mask:                aa:aa:aa:aa:aa:aa

ether-type:                  ipv4

vlan:                        0

scope:                       fabric

port:                        0

 

To delete the ACL configuration, use the acl-mac-delete command.


To modify the ACL configuration, use the acl-mac-modify command.

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south