HP ProCurve 9304M Installation And Configuration Manual page 152

Installation and Basic Configuration Guide
HP9300(config-vif-2)# mac filter 1 deny 00a0.cc77.a18d ffff.ffff.ffff any
HP9300(config-vif-2)# mac filter 2 deny 0010.2222.3333 ffff.ffff.ffff any
HP9300(config-vif-2)# mac deny-src-mac-filter-grp 1 2
Syntax: [no] mac deny-src-mac-filter-group <number>
<number> is the number of the ID of the filter that you've defined. You can enter up to eight filter IDs.
Enabling Logging of Packets Denied by MAC Filters
You can configure the HP device to generate Syslog entries and SNMP traps for packets that are denied by Layer
2 MAC filters. You can enable logging of denied packets on a global basis or an individual port basis.
The first time an entry in a MAC filter denies a packet and logging is enabled for that entry, the software generates
a Syslog message and an SNMP trap. Messages for packets denied by MAC filters are at the warning level of the
Syslog.
When the first Syslog entry for a packet denied by a MAC filter is generated, the software starts a five-minute MAC
filter timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each MAC filter during the previous five-minute interval. If a MAC filter does not deny any
packets during the five-minute interval, the software does not generate a Syslog entry for that MAC filter.
NOTE: For a MAC filter to be eligible to generate a Syslog entry for denied packets, logging must be enabled for
the filter. The Syslog contains entries only for the MAC filters that deny packets and have logging enabled.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log
entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for
denied packets.
USING THE CLI
To configure Layer 2 MAC filter logging globally, enter the following CLI commands at the global CONFIG level:
HP9300(config)# mac filter log-enable
HP9300(config)# write memory
Syntax: [no] mac filter log-enable
To configure Layer 2 MAC filter logging for MAC filters applied to ports 1/1 and 3/3, enter the following CLI
commands:
HP9300(config)# int ethernet 1/1
HP9300(config-if-1/1)# mac filter-group log-enable
HP9300(config-if-1/1)# int ethernet 3/3
HP9300(config-if-3/3)# mac filter-group log-enable
HP9300(config-if-3/3)# write memory
Syntax: [no] mac filter-group log-enable
USING THE WEB MANAGEMENT INTERFACE
You cannot configure a Layer 2 MAC filter to generate Syslog entries and SNMP traps for denied packets using
the Web management interface.
Defining Broadcast and Multicast Filters
You can filter Layer 2 broadcast and multicast packets on specific ports.
• Layer 2 broadcast packets have the value "FFFFFFFFFFFF" (all ones) in the destination MAC address field.
You can configure broadcast filters for all types of IP packets or for UDP packets.
• Layer 2 multicast packets have a multicast address in the destination MAC address field. You can configure
multicast filters to filter on all MAC addresses or a specific multicast address.
You can configure up to eight of each type of filter.
6 - 40