HP 9304m Installation And Getting Started Manual page 112

For Routing Switches, the MAC filter is applied only to those inbound packets that are to be switched. This
includes those ports associated with a Virtual Ethernet (VE) interface. However, the filter is not applied to the VE;
it is applied to the physical port.
NOTE: Use MAC Layer 2 filters only for switched traffic. If a routing protocol (for example, IP or IPX) is
configured on an interface, a MAC filter defined on that interface is not applied to inbound packets. If you want to
filter inbound route traffic, configure a route filter.
When you create a MAC filter, it takes effect immediately. You do not need to reset the system. However, you do
need to save the configuration to flash memory to retain the filters across system resets.
For complete MAC filter examples, see the Command Line Interface Reference .
To define a MAC filter, use one of the following methods.
USING THE CLI
To configure and apply a MAC filter, enter commands such as the following:
HP9300(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
HP9300(config)# mac filter 1024 permit any any
HP9300(config)# int e 1/1
HP9300(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with "3565" to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Syntax: mac filter <filter-num> permit | deny any | <H.H.H> any | <H.H.H> etype | IIc | snap <operator>
<frame-type>
The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f's
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.
In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.
The MAC filter allows for you to filter on the following encapsulation types:
• etype (Ethertype) – a two byte field indicating the protocol type of the frame. This can range from 0x0600 to
0xFFFF.
• llc (IEEE 802.3 LLC1 SSAP and DSAP) – a two byte sequence providing similar function as the EtherType
but for an IEEE 802.3 frame.
• snap (IEEE 802.3 LLC1 SNAP) – a specific LLC1 type packet.
To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet
packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an
IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are
0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.
For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs
include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are
the same.
Configuring Basic Features
4 - 33