Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

MAC Address Filtering and Accounting on Ethernet Interfaces

 

To block all incoming packets from a specific MAC address, you can enable MAC address filtering. You can configure an Ethernet Interface to dynamically learn source or destination MAC addresses. This topic describes how to enable MAC address filtering and how to configure MAC address accounting.

Configuring MAC Address Filtering for Ethernet Interfaces

Enabling Source Address Filtering

On aggregated Ethernet interfaces, Fast Ethernet, Gigabit Ethernet, Gigabit Ethernet IQ, and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can enable source address filtering to block all incoming packets from a specific MAC address.

To enable the filtering, include the source-filtering statement at the following hierarchy levels:

  • [edit interfaces interface-name aggregated-ether-options]

  • [edit interfaces interface-name fastether-options]

  • [edit interfaces interface-name gigether-options]

    Note

    When you integrate a standalone T640 router into a routing matrix, the PIC media access control (MAC) addresses for the integrated T640 router are derived from a pool of MAC addresses maintained by the TX Matrix router. For each MAC address you specify in the configuration of a formerly standalone T640 router, you must specify the same MAC address in the configuration of the TX Matrix router.

    Similarly, when you integrate a T1600 or T4000 router into a routing matrix, the PIC MAC addresses for the integrated T1600 or T4000 router are derived from a pool of MAC addresses maintained by the TX Matrix Plus router. For each MAC address you specify in the configuration of a formerly standalone T1600 or T4000 router, you must specify the same MAC address in the configuration of the TX Matrix Plus router.

When source address filtering is enabled, you can configure the interface to receive packets from specific MAC addresses. To do this, specify the MAC addresses in the source-address-filter mac-address statement at the following hierarchy levels:

  • [edit interfaces interface-name aggregated-ether-options]

  • [edit interfaces interface-name fastether-options]

  • [edit interfaces interface-name gigether-options]

You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn .nnnn.nnnn, where n is a hexadecimal number. You can configure up to 64 source addresses. To specify more than one address, include the source-address-filter statement multiple times.

Note

The source-address-filter statement is not supported on Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router); instead, include the accept-source-mac statement. For more information, see Configuring Gigabit Ethernet Policers.

If the remote Ethernet card is changed, the interface cannot receive packets from the new card because it has a different MAC address.

Source address filtering does not work when Link Aggregation Control Protocol (LACP) is enabled. This behavior is not applicable to T series routers and PTX Series Packet Transport Routers. For more information about LACP, see Configuring LACP for Aggregated Ethernet Interfaces.

Note

On untagged Gigabit Ethernet interfaces, you should not configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level simultaneously. If these statements are configured for the same interfaces at the same time, an error message is displayed.

On tagged Gigabit Ethernet interfaces, you should not configure the source-address-filter statement at the [edit interfaces [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level with an identical MAC address specified in both filters. If these statements are configured for the same interfaces with an identical MAC address specified, an error message is displayed.

Note

The source-address-filter statement is not supported on MX Series routers with MPC4E (model numbers: MPC4E-3D-32XGE-SFPP and MPC4E-3D-2CGE-8XGE); instead, include the accept-source-mac statement. For more information, see Configuring Gigabit Ethernet Policers.

Configuring MAC Address Filtering on PTX Series Packet Transport Routers

This topic describes how to configure MAC filtering on PTX Series Packet Transport Routers. MAC filtering enables you to specify the MAC addresses from which the Ethernet interface can receive packets.

MAC filtering support on PTX Series Packet Transport Routers includes:

  • MAC source and destination address filtering for each port.

  • MAC source address filtering for each physical interface.

  • MAC source address filtering for each logical interface.

When you filter logical and physical interfaces, you can specify up to 1000 MAC source addresses per port.

To configure MAC source address filtering for a physical interface, include the source-filtering and source-address-filter statements at the [edit interfaces et-fpc/pic/port gigether-options] hierarchy level:

The source-address-filter statement configures which MAC source addresses are filtered. The specified physical interface drops all packets from the MAC source addresses you specify. You can specify the MAC address as nn:nn:nn:nn:nn:nn where n is a decimal digit. To specify more than one address, include multiple mac-address options in the source-address-filter statement.

To configure MAC source address filtering for a logical interface, include the accept-source-mac statement at the [edit interfaces et-fpc/pic/port unit logical-unit-number] hierarchy level:

The accept-source-mac statement configures which MAC source addresses are accepted on the logical interface. You can specify the MAC address as nn:nn:nn:nn:nn:nn where n is a decimal digit. To specify more than one address, include multiple mac-address mac-address options in the accept-source-mac statement.

After an interface filter is configured, there is an accounting entry that is associated with the MAC address filter. Counters accumulate if there are packets with matching MAC source addresses. You can use the show interfaces mac-database Junos OS CLI command to view the address count.

Configuring MAC Address Accounting

For Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), for Gigabit Ethernet DPCs on MX Series routers, for 100-Gigabit Ethernet Type 5 PIC with CFP, and for MPC3E, MPC4E, MPC5E, MPC5EQ, and MPC6E MPCs, you can configure whether source and destination MAC addresses are dynamically learned.

To configure MAC address accounting on an individual Ethernet interface, include the mac-learn-enable statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level:

To configure MAC address accounting on an aggregated Ethernet interface, include the mac-learn-enable statement at the [edit interfaces aex aggregated-ether-options ethernet-switch-profile] hierarchy level:

To prohibit an interface from dynamically learning source and destination MAC addresses, do not include the mac-learn-enable statement.

To disable dynamic learning of the source and destination MAC addresses after it has been configured, you must delete mac-learn-enable from the configuration.

Note

MPCs support MAC address accounting for an individual interface or an aggregated Ethernet interface member link only after the interface has received traffic from the MAC source. If traffic is only exiting an interface, the MAC address is not learned and MAC address accounting does not occur.