MAC address filter command syntax

MAC address filtering permit and deny traffic from devices using the specified MAC address list.

Once you apply a MAC address filter to a port, the device drops all ethernet traffic on the port that does not match a MAC permit filter on the port. The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line. You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port. If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group.

The following steps configure the MAC address filtering based on the MAC address list.

Note: Each ICX7150 device supports a maximum of 384 MAC filters and a maximum of 16 MAC filters per port. For other ICX devices you can configure up to 507 MAC filters and the default value is 512.
  1. Enter global configuration mode.
    device# configure terminal
    device(config)#
  2. The below commands define the list of MAC address filters to permit or deny traffic based on source and/or destination mac-address.
    
    device(config)# mac filter 1 deny 0010.0075.3676 ffff.0000.0000
    device(config)# mac filter 2 deny any 0000.0023.fbcd ffff.ffff.ffff 
    device(config)# mac filter 3 deny any 0180.c200.0000 ffff.ffff.fff0 
    device(config)# mac filter 4 deny any 0000.0034.5678 ffff.ffff.ffff 
    device(config)# mac filter 5 deny any 0000.0045.6789 ffff.ffff.ffff 
    device(config)# mac filter 1024 permit any any
    

    In source or destination mac-address field, you can specify a particular mac-address with exact mask or a range of mac-addresses with a variable mask or specify any to match any mac-address. Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the address 0010.0075.3676, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "0010" as the first two bytes. The filter accepts any value for the remaining bytes of the MAC address.

  3. Apply previously created MAC filters to an interface using the mac filter-group command.
    
    device(config)# interface ethernet 1/1/1
    device(config-if-e1000-1/1/1)# mac filter-group 1 to 5 1024
    
    When applying the filter-group to the interface, specify each filter-id to be applied separately or specify a range of filter-ids, for example, 1 3 to 8 10.

The following example denies the Layer 2 traffic if the conditions of filter lines 1 to 5 are matched, and permit the traffic from all other source mac address as per the last statement or filter number 1024. These filter lines from 1 to 5 and the permit command 1024 is then applied to a specific port 1/1/2.


device# configure terminal
device(config)# mac filter 1 deny 0010.0075.3676 ffff.0000.0000
device(config)# mac filter 2 deny any 0000.0023.fbcd ffff.ffff.ffff 
device(config)# mac filter 3 deny any 0180.c200.0000 ffff.ffff.fff0 
device(config)# mac filter 4 deny any 0000.0034.5678 ffff.ffff.ffff 
device(config)# mac filter 5 deny any 0000.0045.6789 ffff.ffff.ffff 
device(config)# mac filter 1024 permit any any
device(config)# interface ethernet 1/1/2
device(config-if-e1000-1/1/2)# mac filter-group 1 to 5 1024

When a MAC address filter is applied to or removed from an interface, a Syslog message is generated.


SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter applied to port 1/1/2 by tester from telnet session (filter id=5) 
SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter removed from port 1/1/2 by tester from telnet session (filter id=5)

The Syslog messages indicate that a MAC address filter was applied to the specified port by the specified user during the specified session type. Session type can be Console, Telnet, SSH, Web, SNMP, or others. The filter IDs that were added or removed are listed.