Configuration Guide User guide

FastIron Configuration Guide 573
53-1002494-02
Defining MAC address filters
Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask | any
Syntax: dot1x auth-filter <filter-list>
The permit | deny argument determines the action the software takes when a match occurs. In the
previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state,
meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X
authentication and allowing all traffic from the specified MAC address. The deny action creates an
802.1X session in the FORCE UNAUTHORIZE state, meaning that the device will never be
authorized, even if it has the appropriate credentials.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a
specific address value and a comparison mask, or the keyword any to filter on all MAC addresses.
Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the
address aabb.ccdd.eeff, use the mask ffff.0000.0000. The filter matches on all MAC addresses
that contain aabb as the first two bytes and accepts any value for the remaining bytes of the MAC
address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC
addresses. If no match is found, the implicit action is to authenticate the client.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules
are the same as those for the <src-mac> <mask> | any parameter. Note that the 802.1x
Authentication filter (dot1x auth-filter) does not use the destination MAC address in the MAC
address filter.
The <filter-num> command identifies the MAC address filter. The maximum number of supported
MAC address filters is determined by the mac-filter-sys default or configured value.
The dot1x auth-filter <filter-list> command binds MAC address filters to a port.
The following rules apply when using the dot1x auth-filter command:
When you add filters to or modify the dot1x auth-filter, the system clears all 802.1X sessions
on the port. Consequently, all users that are logged in will need to be re-authenticated.
The maximum number of filters that can be bound to a port is limited by the mac-filter-port
default or configured value.
The filters must be applied as a group. For example, if you want to apply four filters to an
interface, they must all appear on the same command line.
You cannot add or remove individual filters in the group. To add or remove a filter on an
interface, apply the filter group again containing all the filters you want to apply to the port.
If you apply a filter group to a port that already has a filter group applied, the older filter group is
replaced by the new filter group.