Re: M4300 - macfilter not working

bbs2web · ‎2018-03-31

We require source unicast MAC filtering but this does not appear to be working.

We essentially want to drop packets in VLAN 10 that have a source MAC address of 56:1A:CA:20:68:7C, ingressing either LAG 1 or 1/0/18.

Herewith the settings we entered:

configure
  macfilter 56:1A:CA:20:68:7C 10 
  interface 1/0/18
  macfilter addsrc 56:1A:CA:20:68:7C 10
  interface lag 1
  macfilter addsrc 56:1A:CA:20:68:7C 10

Confirmation of settings:

(M4300-24X24F) #show mac-address-table static all

                                Source            Destination
 MAC Address      VLAN ID       Port(s)             Port(s)
----------------- ------- ------------------- -------------------
56:1A:CA:20:68:7C     10   1/0/18,lag 1

Packets however unfortunately still arrive...

Retired_Member · ‎2018-04-01

Hi @bbs2web,

Welcome to the community!

MAC Filter only match DMAC for stream. But in your case, you want to filter the source MAC address. So the MAC Filter cannot meet to your requirement.

I suggest the MAC ACL can meet to your requirement.

For example: block source MAC=56:1A:CA:20:68:7C in VLAN10, and permit all other traffic.

**************************************************************************

mac access-list extended test
deny 56:1a:ca:20:68:7c 00:00:00:00:00:00 any
permit any any
exit

mac access-group test vlan 10 in 1

*************************************************************************

Hope it helps!

Regards,

EricZ

NETGEAR Employee

View solution in original post

Retired_Member · ‎2018-04-01

Hi @bbs2web,

Welcome to the community!

MAC Filter only match DMAC for stream. But in your case, you want to filter the source MAC address. So the MAC Filter cannot meet to your requirement.

I suggest the MAC ACL can meet to your requirement.

For example: block source MAC=56:1A:CA:20:68:7C in VLAN10, and permit all other traffic.

**************************************************************************

mac access-list extended test
deny 56:1a:ca:20:68:7c 00:00:00:00:00:00 any
permit any any
exit

mac access-group test vlan 10 in 1

*************************************************************************

Hope it helps!

Regards,

EricZ

NETGEAR Employee

bbs2web · ‎2018-04-02

Hi Eric,

Many thanks, using the 'mac access-list' worked perfectly. The documentation on the required MAC mask is however missing and we accidentally dropped all traffic by stipulating the mask as ff:ff:ff:ff:ff:ff when we first tried this.

Working configuration:

mac access-list extended acl1
  deny 56:1a:da:20:68:7b 00:00:00:00:00:00 any
  permit any any
  exit
interface 1/0/18
  mac access-group acl1 in 1
  exit
interface lag 1
  mac access-group acl1 in 1
  exit

This essentially drops packets with a source MAC of only '56:1a:da:20:68:7b' and permits everything else, when ingress is either 1/0/18 or LAG 1.

Retired_Member · ‎2018-04-02

Hi @bbs2web,

Yes, correct.

As it's used wildcard mask for MAC ACL and IP ACL. So when you input ff:ff:ff:ff:ff:ff mask, it mean match all MACs. If you only want to match one specific MAC, you need input 00:00:00:00:00:00 mask.

Besides, With regard to resolve your problem, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!