Feedback
mab through mime-type
mab
To enable MAC-based authentication on a port, use the mab command in interface configuration mode. To disable MAC-based authentication, use the no form of this command.
Usage Guidelines
Use the mab command to enable MAC-based authentication on a port. To enable EAP on the port, use the mab eap command.
NoteIf you are unsure whether MAB or MAB EAP is enabled or disabled on the switched port, use the default mabor default mab eap commands in interface configuration mode to configure MAB or MAB EAP to its default.
mac access-group
To use a MAC access control list (ACL) to control the reception of incoming traffic on a Gigabit Ethernet interface, an 802.1Q VLAN subinterface, an 802.1Q-in-Q stacked VLAN subinterface, use the macaccess-groupcommand in interface or subinterface configuration mode. To remove a MAC ACL, use the no form of this command.
Usage Guidelines
MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.
On Catalyst 6500 series switches, this command is supported on Layer 2 ports only.
NoteThe macaccess-groupcommand is supported on a VLAN subinterface only if a VLAN is already configured on the subinterface.
Examples
The following example applies MAC ACL 101 on incoming traffic received on Gigabit Ethernet interface 0:
Router> enable Router# configure terminal Router(config)# interface gigabitethernet 0 Router(config-if)# mac access-group 101 inRelated Commands
Command
Description
access-list (MAC)
Defines a MAC ACL.
clear mac access-list counters
Clears the counters of a MAC ACL.
ip access-group
Configures an IP access list to be used for packets transmitted from the asynchronous host.
show access-group mode interface
Displays the ACL configuration on a Layer 2 interface.
show mac access-list
Displays the contents of one or all MAC ACLs.
mac-address (RITE)
To specify the Ethernet address of the destination host, use the mac-address command in router IP traffic export (RITE) configuration mode. To change the MAC address of the destination host, use the no form of this command.
Usage Guidelines
The mac-address command, which is used to specify the destination host that is receiving the exported traffic, is part of suite of RITE configuration mode commands that are used to control various attributes for both incoming and outgoing IP traffic export.
The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.
Examples
The following example shows how to configure the profile “corp1,” which will send captured IP traffic to host “00a.8aab.90a0” at the interface “FastEthernet 0/1.” This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control lists (ACL) “ham_ACL.”
Router(config)# ip traffic-export profile corp1 Router(config-rite)# interface FastEthernet 0/1 Router(config-rite)# bidirectional Router(config-rite)# mac-address 00a.8aab.90a0 Router(config-rite)# outgoing sample one-in-every 50 Router(config-rite)# incoming access-list ham_acl Router(config-rite)# exit Router(config)# interface FastEthernet 0/0 Router(config-if)# ip traffic-export apply corp1match class-map
To use a traffic class as a classification policy, use the match class-map command in class-map or policy inline configuration mode. To remove a specific traffic class as a match criterion, use the no form of this command.
Command History
Release
Modification
12.0(5)XE
This command was introduced.
12.1(1)E
This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(5)T
This command was integrated into Cisco IOS Release 12.1(5)T.
12.4(6)T
This command was enhanced to support Zone-Based Policy Firewall.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB
This command was implemented on the Cisco 10000 series.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2S
This command was integrated into Cisco IOS XE Release 3.2S.
Usage Guidelines
The only method of including both match-any and match-all characteristics in a single traffic class is to use the match class-map command. To combine match-any and match-all characteristics into a single class, do one of the following:
- Create a traffic class with the match-anyinstruction and use a class configured with the match-all instruction as a match criterion (using the match class-map command).
- Create a traffic class with the match-allinstruction and use a class configured with the match-any instruction as a match criterion (using the match class-map command).
You can also use the match class-map command to nest traffic classes within one another, saving users the overhead of re-creating a new traffic class when most of the information exists in a previously configured traffic class.
When packets are matched to a class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.
Examples
In the following example, the traffic class called class1 has the same characteristics as traffic class called class2, with the exception that traffic class class1 has added a destination address as a match criterion. Rather than configuring traffic class class1 line by line, you can enter the match class-map class2 command. This command allows all of the characteristics in the traffic class called class2 to be included in the traffic class called class1, and you can simply add the new destination address match criterion without reconfiguring the entire traffic class.
Router(config)# class-map match-any class2 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 3 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# class-map match-all class1 Router(config-cmap)# match class-map class2 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# exitThe following example shows how to combine the characteristics of two traffic classes, one with match-any and one with match-all characteristics, into one traffic class with the match class-map command. The result of traffic class called class4 requires a packet to match one of the following three match criteria to be considered a member of traffic class called class 4: IP protocol and QoS group 4, destination MAC address 1.1.1, or access group 2. Match criteria IP protocol and QoS group 4 are required in the definition of the traffic class named class3 and included as a possible match in the definition of the traffic class named class4 with the match class-map class3 command.
In this example, only the traffic class called class4 is used with the service policy called policy1.
Router(config)# class-map match-all class3 Router(config-cmap)# match protocol ip Router(config-cmap)# match qos-group 4 Router(config-cmap)# exit Router(config)# class-map match-any class4 Router(config-cmap)# match class-map class3 Router(config-cmap)# match destination-address mac 1.1.1 Router(config-cmap)# match access-group 2 Router(config-cmap)# exit Router(config)# policy-map policy1 Router(config-pmap)# class class4 Router(config-pmap-c)# police 8100 1500 2504 conform-action transmit exceed-action set-qos-transmit 4 Router(config-pmap-c)# exit
