Technical data

Switching and Routing

ServerIron(config-if-1/1)#mac filter-group 1

These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any

destination. The second filter permits all traffic that is not denied by another filter.

After you define the filters, you apply them to individual interfaces using the mac filter-group command.

snap eq | gt | lt | neq <frame-type>

The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys

command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.

The permit | deny argument determines the action the software takes when a match occurs.

The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address

value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s

(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask

ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.

The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.

In this case, the filter matches on all MAC addresses.

The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same

as those for the <src-mac> <mask> | any parameter.

Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.

The MAC filter allows for you to filter on the following encapsulation types:

• etype (Ethertype) – a two byte field indicating the protocol type of the frame. This can range from 0x0600 to

0xFFFF.

• llc (IEEE 802.3 LLC1 SSAP and DSAP) – a two byte sequence providing similar function as the EtherType

but for an IEEE 802.3 frame.

• snap (IEEE 802.3 LLC1 SNAP) – a specific LLC1 type packet.

To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet

packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an

IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are

0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.

For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs

include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are

the same.

NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC

1042 for a complete listing of SAP numbers.

SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03.

Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the

MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside

the SNAP header that you want to filter on.

The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq

(not equal).

The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is

806.

The mac filter-group <filter-list> applies a group of MAC filters to the interface. The filters must be applied as a

group. For example, if you want to apply four filters to an interface, they must all appear on the same command

line. You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the

filter group again containing all the filters you want to apply to the port. If you apply a filter group to a port that

already has a filter group applied, the older filter group is replaced by the new filter group.