MAC Address Filtering and Accounting on Ethernet Interfaces
Learn how to enable MAC address filtering and how to configure MAC address accounting on Ethernet interfaces.
MAC address filtering is a security feature that controls network access by filtering MAC addresses. To block all incoming packets from a specific MAC address, you can enable MAC address filtering. You can configure an Ethernet Interface to dynamically learn source or destination MAC addresses.
Configuring MAC Address Filtering for Ethernet Interfaces
Enabling Source Address Filtering
On aggregated Ethernet interfaces, Fast Ethernet, Gigabit Ethernet, Gigabit Ethernet IQ, and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can enable source address filtering to block all incoming packets from a specific MAC address.
To enable the filtering, include the source-filtering statement at the following hierarchy levels:
[edit interfaces interface-name aggregated-ether-options][edit interfaces interface-name fastether-options][edit interfaces interface-name gigether-options]Note:When you integrate a standalone T640 router into a routing matrix, the PIC media access control (MAC) addresses for the integrated T640 router are derived from a pool of MAC addresses maintained by the TX Matrix router. For each MAC address you specify in the configuration of a formerly standalone T640 router, you must specify the same MAC address in the configuration of the TX Matrix router.
Similarly, when you integrate a T1600 or T4000 router into a routing matrix, the PIC MAC addresses for the integrated T1600 or T4000 router are derived from a pool of MAC addresses maintained by the TX Matrix Plus router. For each MAC address you specify in the configuration of a formerly standalone T1600 or T4000 router, you must specify the same MAC address in the configuration of the TX Matrix Plus router.
When source address filtering is enabled, you can configure
the interface to receive packets from specific MAC addresses.
To do this, specify the MAC addresses in the source-address-filter mac-address statement at the following hierarchy
levels:
[edit interfaces interface-name aggregated-ether-options][edit interfaces interface-name fastether-options][edit interfaces interface-name gigether-options]
You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn .nnnn.nnnn, where n is a hexadecimal number. You can configure
up to 64 source addresses. To specify more than one address, include
the source-address-filter statement multiple times.
The source-address-filter statement is not
supported on Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs
(except the 10-port Gigabit Ethernet PIC and the built-in Gigabit
Ethernet port on the M7i router); instead, include the accept-source-mac statement. For more information, see Configuring Gigabit Ethernet Policers.
If the remote Ethernet card is changed, the interface cannot receive packets from the new card because it has a different MAC address.
Source address filtering does not work when Link Aggregation Control Protocol (LACP) is enabled. This behavior is not applicable to T series routers and PTX Series Packet Transport Routers. For more information about LACP, see Aggregated Ethernet Interfaces.
On untagged Gigabit Ethernet interfaces, you should not
configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level
and the accept-source-mac statement at the [edit interfaces
ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level simultaneously. If these statements are configured
for the same interfaces at the same time, an error message is displayed.
On tagged Gigabit Ethernet interfaces, you should not configure
the source-address-filter statement at the [edit interfaces [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level
and the accept-source-mac statement at the [edit interfaces
ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level with an identical MAC address specified in both
filters. If these statements are configured for the same interfaces
with an identical MAC address specified, an error message is displayed.
The source-address-filter statement is not
supported on MX Series routers with MPC4E (model numbers: MPC4E-3D-32XGE-SFPP
and MPC4E-3D-2CGE-8XGE); instead, include the accept-source-mac statement. For more information, see Configuring Gigabit Ethernet Policers.
Configuring MAC Address Accounting
For Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), for Gigabit Ethernet DPCs on MX Series routers, for 100-Gigabit Ethernet Type 5 PIC with CFP, and for MPC3E, MPC4E, MPC5E, MPC5EQ, and MPC6E MPCs, you can configure whether source and destination MAC addresses are dynamically learned.
To configure MAC address accounting on an individual Ethernet
interface, include the mac-learn-enable statement at the [edit interfaces interface-name gigether-options
ethernet-switch-profile] hierarchy level:
[edit interfaces interface-name gigether-options ethernet-switch-profile] mac-learn-enable;
To configure
MAC address accounting on an aggregated Ethernet interface, include
the mac-learn-enable statement at the [edit interfaces
aex aggregated-ether-options ethernet-switch-profile] hierarchy level:
[edit interfaces aex aggregated-ether-options ethernet-switch-profile] mac-learn-enable;
To prohibit an interface from dynamically learning source and
destination MAC addresses, do not include the mac-learn-enable statement.
To disable dynamic learning of the source and destination MAC
addresses after it has been configured, you must delete mac-learn-enable from the configuration.
MPCs support MAC address accounting for an individual interface or an aggregated Ethernet interface member link only after the interface has received traffic from the MAC source. If traffic is only exiting an interface, the MAC address is not learned and MAC address accounting does not occur.