HP ProCurve 9304M Installation And Configuration Manual page 148

Installation and Basic Configuration Guide
NOTE: In software release 07.6.04, you can apply MAC filters to virtual routing interfaces. For more information,
see "Configuring MAC Address Filters for Virtual Routing Ports" on page 6-39.
The device takes the action associated with the first matching filter. If the packet does not match any of the filters
in the access list, the default action is to drop the packet. If you want the system to permit traffic by default, you
must specifically indicate this by making the last entry in the access list a permit filter. Here is an example:
mac filter <last-index-number> permit any any
For Routing Switches, the MAC filter is applied only to those inbound packets that are to be switched. This
includes those ports associated with a virtual routing interface. However, the filter is not applied to the virtual
routing interface. It is applied to the physical port.
NOTE: Inbound traffic on a port to which a Layer 2 MAC filter is assigned is sent to the CPU for processing.
NOTE: Use MAC Layer 2 filters only for switched traffic. If a routing protocol (for example, IP or IPX) is
configured on an interface, a MAC filter defined on that interface is not applied to inbound packets. If you want to
filter inbound route traffic, configure a route filter.
When you create a MAC filter, it takes effect immediately. You do not need to reset the system. However, you do
need to save the configuration to flash memory to retain the filters across system resets.
For complete MAC filter examples, see the Command Line Interface Reference .
Configuring MAC Address Filters for Physical Ports
NOTE: In software releases 07.6.04 and later, you can apply MAC filters to virtual routing interfaces. For more
information, see "Configuring MAC Address Filters for Virtual Routing Ports" on page 6-39.
To define a MAC filter, use one of the following methods.
USING THE CLI
To configure and apply a MAC filter, enter commands such as the following:
HP9300(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
HP9300(config)# mac filter 1024 permit any any
HP9300(config)# int e 1/1
HP9300(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with "3565" to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you apply a MAC filter to a port, the device drops all Layer 2 traffic on the port that does not match a
MAC permit filter on the port.
Syntax: mac filter <filter-num> permit | deny any | <H.H.H> any | <H.H.H> etype | IIc | snap <operator>
<frame-type>
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f's
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a
mask. In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.
The MAC filter allows for you to filter on the following encapsulation types:
6 - 36