Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

MAC Address Filtering and Accounting on Ethernet Interfaces

Learn how to enable MAC address filtering and how to configure MAC address accounting on Ethernet interfaces.

MAC address filtering is a security feature that controls network access by filtering MAC addresses. To block all incoming packets from a specific MAC address, you can enable MAC address filtering. You can configure an Ethernet Interface to dynamically learn source or destination MAC addresses.

MAC Address Filtering Overview

On Ethernet interfaces with SFPs, you can enable source address filtering to block all incoming packets from a specific MAC address. When you filter logical and physical interfaces, you can specify up to 1000 MAC source addresses per port.

MAC filtering support includes:

  • MAC source and destination address filtering for each port.

  • MAC source address filtering for each physical interface.

  • MAC source address filtering for each logical interface.

Configure MAC Address Filtering for Ethernet Interfaces

On aggregated Ethernet interfaces, Fast Ethernet, Gigabit Ethernet, Gigabit Ethernet IQ, and Gigabit Ethernet PICs with SFPs, you can enable source address filtering to block all incoming packets from a specific MAC address.

  • To enable the filtering, include the source-filtering statement at the [edit interfaces interface-name aggregated-ether-options | fastether-options | gigether-options] hierarchy level.

  • When source address filtering is enabled, you can configure the interface to receive packets from specific MAC addresses. To do this, specify the MAC addresses in the source-address-filter mac-address statement at the [edit interfaces interface-name aggregated-ether-options | fastether-options | gigether-options] hierarchy levels.

  • You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn.nnnn.nnnn, where n is a hexadecimal number. You can configure up to 64 source addresses. To specify more than one address, include the source-address-filter statement multiple times.

Source address filtering does not work when Link Aggregation Control Protocol (LACP) is enabled.

If the remote Ethernet card is changed, the interface cannot receive packets from the new card because it has a different MAC address.

MAC Address Accounting for Ethernet Interfaces

To configure MAC address accounting on an individual Ethernet interface, include the mac-learn-enable statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level:

To configure MAC address accounting on an aggregated Ethernet interface, include the mac-learn-enable statement at the [edit interfaces aex aggregated-ether-options ethernet-switch-profile] hierarchy level.

To prohibit an interface from dynamically learning source and destination MAC addresses, do not include the mac-learn-enable statement.

To disable dynamic learning of the source and destination MAC addresses after it has been configured, you must delete mac-learn-enable from the configuration.

MPCs support MAC address accounting for an individual interface or an aggregated Ethernet interface member link only after the interface has received traffic from the MAC source. If traffic is only exiting an interface, the MAC address is not learned and MAC address accounting does not occur.