MACIP ACLs¶
MACIP ACLs and layer 3 ACLs (Standard ACLs) work similarly, but MACIP ACLs match traffic at layer 2 using MAC addresses.
Since MACIP ACLs work with layer 2 information, they can only effectively function on interfaces which support operating at layer 2, such as Ethernet. Additionally, MACIP ACLs can only match layer 2 interface packets from neighboring hosts on directly connected networks.
Warning
The MAC address of a remote host that reaches TNSR via routing though another gateway cannot be determined, thus cannot be matched by a MACIP ACL.
For example, traffic arriving at TNSR from the Internet via Ethernet will typically have a source MAC address of the default gateway or routing peer, and not the actual source of the traffic.
MACIP ACLs may only be applied in the input direction, and only match source addresses.
- description <text>:
Text describing the purpose of this ACL.
- action <name>:
Determines how the rule governs packets that match.
- deny:
Drops a packet which matches this rule.
- permit:
Passes a single packet matching the rule.
- ip-version (ipv4|ipv6):
Controls whether IPv4 or IPv6 packets will be matched by the rule. This is required and governs validation of the
address
value when applicable.- address <ip-prefix>:
Match the source IPv4 or IPv6 address of a packet.
- mac address <mac-address>:
Optionally specifies a MAC address to block, in six groups of two colon-separated hexadecimal values, such as
00:11:22:33:44:55
. When unset, the default value is00:00:00:00:00:00
and uses the same value for a mask, which will match any MAC address.- mac mask <mac-mask>:
Optionally specifies a mask which defines portions of a MAC address to match, similar to an IP Prefix value. Given in six groups of two colon-separated hexadecimal values, such as
ff:ff:ff:00:00:00
, which matches the first half of a given MAC address. A mask offf:ff:ff:ff:ff:ff
matches an entire MAC address exactly. A mask of00:00:00:00:00:00
matches any MAC address, and is the default behavior when no mask is set.
MACIP ACL Example¶
tnsr(config)# macip blockamac
tnsr(config-macip)# rule 10
tnsr(config-macip-rule)# action deny
tnsr(config-macip-rule)# mac address 00:11:22:33:44:55
tnsr(config-macip-rule)# mac mask ff:ff:ff:ff:ff:ff
tnsr(config-macip-rule)# ip-version ipv4
tnsr(config-macip-rule)# exit
tnsr(config-macip)# exit
tnsr(config)# int GigabitEthernet0/14/2
tnsr(config-interface)# access-list macip blockamac
tnsr(config-interface)# exit
tnsr(config)#