- Download PDFs
- Enabling Ethernet MAC Address Filtering
Enabling Ethernet MAC Address Filtering
By default, source address filtering is disabled. On aggregated Ethernet interfaces, Fast Ethernet, Gigabit Ethernet, Gigabit Ethernet IQ, and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i platform), you can enable source address filtering, which blocks all incoming packets to an interface.
 |
Note: Source address filtering is not supported on J-series Services Routers. |
To enable the filtering, include the source-filtering statement:
To explicitly disable filtering, include the no-source-filtering statement:
You can include these statements at the following hierarchy levels:
- [edit interfaces interface-name aggregated-ether-options]
- [edit interfaces interface-name fastether-options]
- [edit interfaces interface-name gigether-options]
Note: When you integrate a standalone T640 routing node into a routing matrix, the PIC media access control (MAC) addresses for the integrated T640 routing node are derived from a pool of MAC addresses maintained by the TX Matrix platform. For each MAC address you specify in the configuration of a formerly standalone T640 routing node, you must specify the same MAC address in the configuration of the TX Matrix platform.
Filtering Specific MAC Addresses
When source address filtering is enabled, you can configure the interface to receive packets from specific MAC addresses. To do this, specify the MAC addresses in the source-address-filter statement:
- source-address-filter {
- mac-address;
- <additional-mac-address>;
- }
You can include these statements at the following hierarchy levels:
- [edit interfaces interface-name aggregated-ether-options]
- [edit interfaces interface-name fastether-options]
- [edit interfaces interface-name gigether-options]
You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn .nnnn.nnnn, where n is a hexadecimal number. You can configure up to 64 source addresses. To specify more than one address, include the source-address-filter statement multiple times.
|
Note: The source-address-filter statement is not supported on Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i platform); instead, include the accept-source-mac statement. For more information, see Configuring Gigabit Ethernet Policers. If the remote Ethernet card is changed, the interface cannot receive packets from the new card because it has a different MAC address. Source address filtering does not work when Link Aggregation Control Protocol (LACP) is enabled. For more information about LACP, see Configuring Aggregated Ethernet LACP. |
|
Note: On untagged Gigabit Ethernet interfaces, you should not configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level simultaneously. If these statements are configured for the same interfaces at the same time, an error message is displayed. On tagged Gigabit Ethernet interfaces, you should not configure the source-address-filter statement at the [edit interfaces [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level with an identical MAC address specified in both filters. If these statements are configured for the same interfaces with an identical MAC address specified, an error message is displayed. |