Configuring Basic Features
USING THE WEB MANAGEMENT INTERFACE
You cannot configure this feature using the Web management interface.
Defining MAC Address Filters
MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3
frame. You can filter on the source and destination MAC addresses as well as other information such as the
EtherType, LLC1 DSAP or SSAP numbers, and a SNAP EtherType. The filters apply to incoming traffic only.
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access
policies. See the "Policies and Filters" appendix in the Advanced Configuration and Management Guide.
You configure MAC filters globally, then apply them to individual interfaces. To apply MAC filters to an interface,
you add the filters to that interface's MAC filter group.
The device takes the action associated with the first matching filter. If the packet does not match any of the filters
in the access list, the default action is to drop the packet. If you want the system to permit traffic by default, you
must specifically indicate this by making the last entry in the access list a permit filter. Here is an example:
mac filter <last-index-number> permit any any
For routing switches, the MAC filter is applied only to those inbound packets that are to be switched. This includes
those ports associated with a Virtual Ethernet (VE) interface. However, the filter is not applied to the VE; it is
applied to the physical port.
NOTE: Use MAC Layer 2 filters only for switched traffic. If a routing protocol (for example, IP or IPX) is
configured on an interface, a MAC filter defined on that interface is not applied to inbound packets. If you want to
filter inbound route traffic, configure a route filter.
When you create a MAC filter, it takes effect immediately. You do not need to reset the system. However, you do
need to save the configuration to flash memory to retain the filters across system resets.
For complete MAC filter examples, see the Command Line Interface Reference.
To define a MAC filter, use one of the following methods.
USING THE CLI
To configure and apply a MAC filter, enter commands such as the following:
HP9300(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
HP9300(config)# mac filter 1024 permit any any
HP9300(config)# int e 1/1
HP9300(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with "3565" to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Syntax: mac filter <filter-num> permit | deny any | <H.H.H> any | <H.H.H> etype | IIc | snap <operator>
The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f's
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a
mask. In this case, the filter matches on all MAC addresses.
9 - 51