Foundry Configuration Guide for the FESX, FSX, and FWSX
4 - 6 © Foundry Networks, Inc. December 2005
route traffic, configure a route filter.
• Layer 2 MAC filtering on the FESX, FSX, and FWSX differs from the FES and BigIron in that MAC filtering
applies to all traffic, including management traffic. To exclude management traffic from being filtered,
configure a MAC filter that explicitly permits all traffic headed to the management MAC (destination) address.
The MAC address for management traffic is always the MAC address of port 1.
• You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access policies.
See the appendix “Policies and Filters” on page C-1.
• MAC Layer 2 filters are not supported on tagged ports in the base Layer 3 and full Layer 3 images.
Command Syntax
To configure and apply a MAC filter, enter commands such as the following:
FESX424 Switch(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000
FESX424 Switch(config)# mac filter 1024 permit any any
FESX424 Switch(config)# int e 1
FESX424 Switch(config-if-e1000-1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you apply a MAC filter to a port, the device drops all Layer 2 traffic on the port that does not match a
MAC permit filter on the port.
Syntax: mac filter <filter-num> permit | deny any | <H.H.H> any | <H.H.H>
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.
In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Syntax: mac filter log-enable
Globally enables logging for filtered packets.
Syntax: mac filter-group log-enable
Enables logging for filtered packets on a specific port.
Syntax: mac filter-group <filter-list>
Applies MAC filters to a port.
NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they
must all appear on the same command line.
NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply
the filter group again containing all the filters you want to apply to the port.
NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced
by the new filter group.
To Next Page
Loading...
Need help?
General
