- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: M4300 - macfilter not working
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We require source unicast MAC filtering but this does not appear to be working.
We essentially want to drop packets in VLAN 10 that have a source MAC address of 56:1A:CA:20:68:7C, ingressing either LAG 1 or 1/0/18.
Herewith the settings we entered:
configure macfilter 56:1A:CA:20:68:7C 10 interface 1/0/18 macfilter addsrc 56:1A:CA:20:68:7C 10 interface lag 1 macfilter addsrc 56:1A:CA:20:68:7C 10
Confirmation of settings:
(M4300-24X24F) #show mac-address-table static all
Source Destination
MAC Address VLAN ID Port(s) Port(s)
----------------- ------- ------------------- -------------------
56:1A:CA:20:68:7C 10 1/0/18,lag 1
Packets however unfortunately still arrive...
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bbs2web,
Welcome to the community!
MAC Filter only match DMAC for stream. But in your case, you want to filter the source MAC address. So the MAC Filter cannot meet to your requirement.
I suggest the MAC ACL can meet to your requirement.
For example: block source MAC=56:1A:CA:20:68:7C in VLAN10, and permit all other traffic.
**************************************************************************
mac access-list extended test
deny 56:1a:ca:20:68:7c 00:00:00:00:00:00 any
permit any any
exit
mac access-group test vlan 10 in 1
*************************************************************************
Hope it helps!
Regards,
EricZ
NETGEAR Employee
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bbs2web,
Welcome to the community!
MAC Filter only match DMAC for stream. But in your case, you want to filter the source MAC address. So the MAC Filter cannot meet to your requirement.
I suggest the MAC ACL can meet to your requirement.
For example: block source MAC=56:1A:CA:20:68:7C in VLAN10, and permit all other traffic.
**************************************************************************
mac access-list extended test
deny 56:1a:ca:20:68:7c 00:00:00:00:00:00 any
permit any any
exit
mac access-group test vlan 10 in 1
*************************************************************************
Hope it helps!
Regards,
EricZ
NETGEAR Employee
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M4300 - macfilter not working
Hi Eric,
Many thanks, using the 'mac access-list' worked perfectly. The documentation on the required MAC mask is however missing and we accidentally dropped all traffic by stipulating the mask as ff:ff:ff:ff:ff:ff when we first tried this.
Working configuration:
mac access-list extended acl1 deny 56:1a:da:20:68:7b 00:00:00:00:00:00 any permit any any exit interface 1/0/18 mac access-group acl1 in 1 exit interface lag 1 mac access-group acl1 in 1 exit
This essentially drops packets with a source MAC of only '56:1a:da:20:68:7b' and permits everything else, when ingress is either 1/0/18 or LAG 1.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M4300 - macfilter not working
Hi @bbs2web,
Yes, correct.
As it's used wildcard mask for MAC ACL and IP ACL. So when you input ff:ff:ff:ff:ff:ff mask, it mean match all MACs. If you only want to match one specific MAC, you need input 00:00:00:00:00:00 mask.
Besides, With regard to resolve your problem, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!