Configuration Guide User guide

570 FastIron Configuration Guide
53-1002494-02
Defining MAC address filters
MAC address filters command syntax
To configure and apply a MAC address filter, enter commands such as the following.
Brocade(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000
Brocade(config)# mac filter 2 deny any ffff.ffff.ffff ffff.ffff.ffff
Brocade(config)# mac filter 3 deny any 0180.c200.0000 ffff.ffff.fff0
Brocade(config)# mac filter 4 deny any 0000.1234.5678 ffff.ffff.ffff
Brocade(config)# mac filter 5 deny any 0000.2345.6789 ffff.ffff.ffff
Brocade(config)# mac filter 1024 permit any any
Brocade(config)# int e 1
Brocade(config-if-e1000-1)# mac filter-group 1 to 5 1024
These commands configure filter 1 to deny traffic with a source MAC address that begins with
“3565” to any destination, and configure filters 2 through 5 to deny traffic with the specified
destination MAC addresses. Filter 1024 permits all traffic that is not denied by any other filter.
NOTE
Once you apply a MAC address filter to a port, the device drops all Ethernet traffic on the port that
does not match a MAC permit filter on the port.
Syntax: [no] mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask |
any
You can configure up to 507 MAC filters for <filter-num>, although the output of the show default
values command shows 512.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a
specific address value and a comparison mask or the keyword any to filter on all MAC addresses.
Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the
address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC
addresses that contain "aabb" as the first two bytes. The filter accepts any value for the remaining
bytes of the MAC address. If you specify any, do not specify a mask. In this case, the filter matches
on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules
are the same as those for the <src-mac> <mask> | any parameter.
Syntax: [no] mac filter log-enable
Globally enables logging for filtered packets.
Syntax: [no] mac filter-group log-enable
Enables logging for filtered packets on a specific port.
Syntax: [no] mac filter-group <filter-number> [to <filter-number> | <filter-number>...]
Applies MAC address filters to a port.
When applying the filter-group to the interface, specify each line to be applied separately or use the
to keyword to apply a consecutive range of filter lines, for example, 1 3 to 8 10.
NOTE
The filters must be applied as a group. For example, if you want to apply four filters to an interface,
they must all appear on the same command line.