Using MAC Filtering

This document explains MAC filtering. It includes the following sections:

Using MAC Filtering Parameters

Accessing the MAC Filtering Prompts

About MAC Filtering

MAC filtering lets you set up packet filters. Filters are a set of rules applied to a packet to determine how it is handled.

Note: MAC filtering is allowed on tunnel traffic.

During the filtering process, packets are either processed, filtered, or tagged. The following explains these actions:

Processed - Packets are permitted to pass through the bridge unaffected.
Filtered - Packets are not permitted to pass through the bridge.
Tagged - Packets are allowed to pass through the bridge but are marked with a number in the range of 1 to 64 based on a configurable parameter.

A MAC filter is made up of three objects:

Filter-item - A single rule for the address field of a packet. The result is either TRUE (the match was successful) or FALSE (the match was not successful).
Filter-list - Contains a list of one or more filter-items.
Filter - Contains a set of filter-lists.

MAC Filtering and DLSw Traffic

You can set up MAC filtering to channel eligible DLSw traffic to alternate bridge paths on a MAC station basis.

To set up a filter for LLC, use the Bridge Net as the interface number for the filter. Calculate the Bridge Net number by adding two to the number of interfaces configured for your router. Enter list devices at the Config> prompt or enter configuration at the Monitor> prompt to see a list of interfaces.

In the following example the Bridge Net number is 6.

Config>list devices
Ifc 0    slot 0  port 0     Ethernet 
Ifc 1    slot 1  port 0     Token Ring 
Ifc 2    slot 1  port 1     Token Ring 
Ifc 3    slot 2  port 0     Quad/Twin Serial Line 
Ifc 4    slot 2  port 1     Quad/Twin Serial Line

When you set up a filter for the Bridge Net, for example, the router does not drop frames that match exclusive filters. Instead, it forwards those frames to the bridge.

Using MAC Filtering Parameters

You can specify some or all of the following parameters when you create a filter:

Source MAC address or destination MAC address
Mask to be applied to the packet's fields to be filtered
Interface number
Input/output designation
Include/exclude/tag designation
Tag value (if you designated a tag)

Filter-Item Parameters

You specify the following parameters to construct a filter-item:

Address Type: source or destination
Tag: Tag-value
Address Mask: Hex-Mask

Each filter-item specifies an address type (source or destination) to match against the type in the packet with the tokens.

The address mask is a MAC address in hex comparing the packet's addresses. The mask is applied to the source or destination MAC address of the packet before comparing it against the specified MAC address.

The mask specifies the bytes that are to be logically ANDed with the bytes in the MAC address. It must be of equal length to the specified MAC address. If no mask is specified, it is assumed to be all 1's.

Filter List Parameters

The following parameters are used to construct a filter list:

Name: ASCII-string
Filter-Item List: filter-item1, ..., filter-item
Action: INCLUDE, EXCLUDE, TAG(n)

A filter list is built from one or more filter items. Each filter list is given a unique name.

Applying a filter list to a packet consists of comparing each filter item in the order by which the filter items were added to the list. If any of the filter items in the list return TRUE then the filter list returns its designated action.

Filter Parameters

The following parameters are used to construct a filter:

Filter list Names: ASCII-string, ..., ASCII-string
Interface Number: IFC-number
Port Direction: input or output
Default Action: include, exclude, or tag
Default Tag: tag value

A filter is constructed by associating a group of filter list names with an interface number and assigning an input or output designation. The application of a filter to a packet means that each of the associated filter lists should be applied to packets being received (input) or sent (output) on the specified interface.

When a filter evaluates a packet to an include condition, the packet is forwarded. When a filter evaluates a packet to an exclude condition, the packet is dropped. When a filter evaluates to a tag condition, the packet being considered is forwarded with a tag.

An additional parameter of each filter is the default action which is the result of non-match for all of its filter lists. This default action is include. It can be set to either include, exclude, or tag. In addition, if the default action is tag, a tag value is also given.

Using MAC Filtering Tags

MAC Address filtering is handled by a joint effort between Bandwidth Reservation and the MAC Filtering feature (MCF) using tags. A user with bandwidth reservation is able to categorize bridge traffic, for example, by assigning a tag to it.
Tagging is done by creating a filter item at the MAC filtering configuration prompt and assigning a tag to it. This tag is used to set up a bandwidth class for all packets associated with this tag. Tag values must be in the range of 1 to 64.

OpenROUTE software supports applying tags only to bridged packets and allows only the MAC address fields of the packet to be used in applying the tag.
Up to five tagged MAC addresses can be set from 1 to 5. TAG1 is searched for first, then TAG2, and so on.
Once a tagged filter is created, it is assigned a class and priority in the Bandwidth Reservation configuration process. Use tag at the Bandwidth Reservation to reference the tag.

Tags can also refer to groups as in IP Tunnel. Tunnel end points can belong to any number of groups, and then packets are assigned to a particular group through the tagging feature of MAC address filtering.

Accessing the MAC Filtering Prompts

To display the MAC filtering configuration prompt, at the Config> prompt enter feature mcf.

Config> feature mcf
MAC Filtering user configuration
Filter config>

To display the MAC filtering monitoring prompt, at the Monitor> prompt enter feature mcf.

Monitor> feature mcf
MAC Filtering user console
Filter>

MAC Filtering Commands

This section describes the MAC filtering configuration and monitoring commands. Table 1 lists the MAC filtering commands.

Not all parameters apply to all router platforms. Press Space twice after you type a command to display the available parameters for each command for your router. Enter help for information about using the command line interface.

[C] means the command is available at the Filter config> prompt.

[M] means the command is available at the Filter> prompt.

Table 1 MAC Filtering Commands

Command Function

Attach [C] Adds a filter list to a filter.

Clear [M] Clears the per filter statistics listed in the list filter command.

Create [C] Creates a filter list or an input or output filter.

Default [C] Sets the default action for the filter with a specified filter-number to exclude, include, or tag.

Delete [C] Removes all information associated with a filter list and frees an assigned string as a name for a new filter list. Also deletes a filter created.

Detach [C] Deletes a filter-list name from a filter.

Disable [C] [M] Disables MAC filtering globally or on a per filter basis.

Enable [C] [M] Enables MAC filtering globally or on a per filter basis.

Exit [C] [M] Exits the MAC filtering configuration or monitoring process.

List [C] [M] Lists a summary of statistics and settings for each filter currently running in the router.

Move [C] Reorders the filter-lists attached to a specified filter.

Reinit [C] [M] Re-initializes the entire MAC filtering system without affecting the rest of the router.

Set-Cache [C] Changes the cache size for a filter.

Update [C] Adds or deletes information from a filter-list. Brings you to a menu of appropriate subcommands.

Table 1 MAC Filtering Commands
Command	Function
Attach [C]	Adds a filter list to a filter.
Clear [M]	Clears the per filter statistics listed in the list filter command.
Create [C]	Creates a filter list or an input or output filter.
Default [C]	Sets the default action for the filter with a specified filter-number to exclude, include, or tag.
Delete [C]	Removes all information associated with a filter list and frees an assigned string as a name for a new filter list. Also deletes a filter created.
Detach [C]	Deletes a filter-list name from a filter.
Disable [C] [M]	Disables MAC filtering globally or on a per filter basis.
Enable [C] [M]	Enables MAC filtering globally or on a per filter basis.
Exit [C] [M]	Exits the MAC filtering configuration or monitoring process.
List [C] [M]	Lists a summary of statistics and settings for each filter currently running in the router.
Move [C]	Reorders the filter-lists attached to a specified filter.
Reinit [C] [M]	Re-initializes the entire MAC filtering system without affecting the rest of the router.
Set-Cache [C]	Changes the cache size for a filter.
Update [C]	Adds or deletes information from a filter-list. Brings you to a menu of appropriate subcommands.

Attach [C]

Adds a filter list to a filter. A filter is constructed by associating a group of filter lists with an interface number. A filter list is built from one or more filter items.

Syntax: attach filter-list-name filter-number

Example: attach

Enter a filter-list name []? atm_list
Enter a filter number [1]? 3

Clear [M]

Clears all the per filter statistics listed in the list filter command for all the filter objects and all the statistics listed for each filter list.

The command also clears the per filter statistics listed in the list filter command for the filter associated with the filter-number plus all the statistics listed for each filter list in this filter.

Syntax: clear

all
filter

all

Clears all statistics listed in the list filter command for each filter object and each filter-list.

Example: clear all

filter filter-number

Clears the per filter statistics listed in the list filter command for the filter associated with the filter-number plus all the statistics listed for each filter-list in this filter.

Example: clear filter 6

Create [C]

Creates a filter list or an input or output filter.

Syntax: create

list
filter

list filter-list-name

Creates a filter list. Name a list by a unique string (Filter-list-name) of up to 16 characters. This name is used to identify a filter-list that is being built. This name is also used with other commands associated with the filter-list.

Example: create list newyork

filter input/output interface-number

Creates a filter and places it on the network associated with the input or output direction on the interface given by an interface number. By default this filter is created with no attached filter-lists and has a default action of include and enabled.

Example: create filter input 2

Default [C]

Sets the default action for the filter with a specified filter-number to exclude, include, or tag.

Syntax: default

exclude
include
tag

exclude filter-number

Sets the default action for the filter with a specified filter-number to exclude.

Example: default exclude 3

include filter-number

Sets the default action for the filter with a specified filter-number to include.

Example: default include 3

tag tag-number filter-number

Sets the default action for the filter with the specified filter-number to tag and sets the associated tag value to tag-number.

Example: default tag 3 15

Delete [C]

Removes all information associated with a filter-list and frees an assigned string as a name for a new filter-list. If filter-list is attached to a filter that has already been created, then this command displays an error message without deleting anything. In addition all filter-items belonging to this list are also deleted.

This command also deletes a filter created using the create filter command.

Syntax: delete

list
filter

list filter-list

Removes all information associated with a filter-list and frees an assigned string as a name for a new filter-list. The filter-list must be a string entered by a previous create list command.

If the filter-list is attached to a filter that has already been created, then this command displays an error messageen without deleting anything. All filter-items belonging to this list are also deleted when this command is used.

Example: delete list newyork

filter filter-number

Deletes a filter created using the create filter command.

Example: delete 3

Detach [C]

Deletes a filter-list name (filter-list parameter) from a filter (filter-number parameter).

Syntax: detach list

Example: detach list newyork

Disable [C] [M]

Disables MAC filtering entirely or disables a particular filter.

Syntax: disable

all
filter

all

Disables MAC filtering entirely. Filters are still set as enabled, however, if they were enabled previously.

Example: disable all

filter filter-number

Disables a particular filter. The filter number parameter corresponds to the numbers displayed with list filters command.

Example: disable filter

Enter a filter number [1]? 3

Enable [C] [M]

Enables MAC filtering entirely or enables a particular filter.

Syntax: enable

all
filter

all

Enables MAC filtering entirely although filters themselves may still set to disabled.

Example: enable all

filter filter-number

Enables a particular filter. The filter number parameter corresponds to the numbers displayed with list filters.

Example: enable filter

Enter a filter number [1]? 3

Exit [C] [M]

Use the exit command to return to the Config> prompt or Monitor> prompt.

Syntax: exit

Example: exit

List [C] [M]

Lists all the filter lists and filters that you have configured. A list of all the filter lists attached to a filter is not given. Other information displayed includes:

Whether or not filtering is enabled or disabled
A list containing the state of the filtering system (enable,disable)
The set of configured filter-list records
Each of the configured filter records

In addition, the following information is displayed for each filter:

Filter number
Interface number
Filter direction (input,output)
Filter state (enable, disable)
Filter default action (tag, include, exclude)

This command also generates a list of attached filter-lists for this filter and all subsequent information for the filter.

Syntax: list

all
filter

Example: list all

Filtering: enabled
Filter List                   Action
-----------                   ------
test                          INCLUDE   

Filters
-------
Id   Default   State     Ifc  Dir       Cache
--   -------   -----     ---  ---       ------
1    INCLUDE   DISABLE   0    OUTPUT    16

filter filter-number

Generates a list of attached filter-lists for the specified filter and all subsequent information for the filter.

Example: list filter

Enter a filter number [1]? 
Id   Default   State     Ifc  Dir       Cache
--   -------   -----     ---  ---       ------
1    INCLUDE   DISABLE   0    OUTPUT    16   

Filter List                   Action
-----------                   ------
test                          INCLUDE

Move [C]

Use the move command to re-order the filter-lists attached to a specified filter (given by the filter-number parameter). The list given by Filter-list-name1 is moved immediately before the list given by Filter-list-name2.

Syntax: move filter-list-name1 filter-list-name2 filter-number

Example: move newyork boston 13

Reinit [C] [M]

Reinitializes the entire MAC filtering system from an existing configuration without affecting the rest of the router.

Syntax: reinit

Example: reinit

Set-Cache [C]

Changes the cache size to a number between 4 and 32768. The default is 16.

Syntax: set-cache filter-number cache-size

Example: set-cache

Enter a filter number [1]? 
Enter the new cache size [16]?

Update [C]

Use the update command to add information to or delete information from a specific filter-list. Using this command with the desired filter-list-name brings you to the Filter filter-list-name Config> prompt for that filter list. From this new prompt you can change information in the list.

The order in which the filter-items are specified for a filter-list is important as it determines the order in which the filter-items are applied to a packet.

Syntax: update filter-list-name

Example: update newyork

MAC Filtering Update Commands

Table 2 lists the MAC filtering update commands.

[C] means you enter the command at the configuration prompt, which is filter filter-list-name config>.

Table 2 MAC Filtering Update Commands

Command Function

Add [C] Adds a hexadecimal number to compare against the source or destination MAC address. Adds filter items to a filter list. Adds a filter list to a filter.

Delete [C] Removes filter-items from a filter-list.

Exit [C] Exits the update subcommand configuration process.

List [C] Lists a summary of all the filter lists and filters configured by the user. Also generates a list of attached filter lists for this filter and all subsequent information for the filter.

Move [C] Reorders the filter lists attached to a specified filter.

Set-Action [C] Sets a filter item to evaluate either include, exclude or tag (with a tag-number option).

Table 2 MAC Filtering Update Commands
Command	Function
Add [C]	Adds a hexadecimal number to compare against the source or destination MAC address. Adds filter items to a filter list. Adds a filter list to a filter.
Delete [C]	Removes filter-items from a filter-list.
Exit [C]	Exits the update subcommand configuration process.
List [C]	Lists a summary of all the filter lists and filters configured by the user. Also generates a list of attached filter lists for this filter and all subsequent information for the filter.
Move [C]	Reorders the filter lists attached to a specified filter.
Set-Action [C]	Sets a filter item to evaluate either include, exclude or tag (with a tag-number option).

Add [C]

Adds filter-items to a filter-list. This command specifically lets you add a hexadecimal number to compare against the source or destination MAC address.

The order in which you add filter-items to a filter-list is important as it determines the order in which the filter-items are applied to a packet.

Each use of the add subcommand creates a filter-item within the filter-list. The first filter-item is assigned filter-item-number 1, the next one is assigned number 2, and so forth. After an add, the router displays the number of the filter-item just added.

The first match that occurs stops the application of filter-items, and the filter-list evaluates to either include, exclude or tag, depending on the designated action of the filter-list. If none of the filter-items of a filter-list produce a match, then the default action (include, exclude or tag) of the filter is returned.

Syntax: add

source
destination

source hex-MAC-addr hex-Mask

Adds a hexadecimal number (with no 0x in front, a maximum of 16 numbers, and an even number of hex numbers) to compare against the source MAC address.

The hex-mask parameter must be the same length as hex-MAC-address and is logically ANDed with the designated MAC address in the packet. The default hex-mask argument is all binary 1's.

You can enter the hex-MAC-addr in canonical or non-canonical bit order. Canonical bit order is just a hex number (for example, 000003001234) or a series of hex digits with a dash between every two digits (for example, 00-00-03-00-12-34).

Non-canonical bit order is a series of hex digits with a colon between every two digits (for example, 00:00:C9:09:66:49). MAC addresses of filter-items are always displayed using either dash or colon to distinguish canonical from non-canonical representations.

Example: add source

Enter MAC Address []? 00-00-03-00-12-34
Enter MAC Mask [ffffffffffff]?

destination hex-MAC-addr hex-Mask

Acts exactly like add source, except that the match is made against the destination rather than source MAC address of the packet.

Example: add destination

Enter MAC Address []? 00-00-03-00-12-34
Enter MAC Mask [ffffffffffff]?

Delete [C]

Removes filter-items from a filter-list. You delete filter items by specifying the filter-item-number assigned to the item when it was added.

When you delete a filter item, any gap created in the number sequence is filled in. For example, if filter-items 1, 2, 3, and 4 exist and you delete filter-item 3, then filter-item 4 is renumbered to 3.

Syntax: delete filter-item-number

Example: delete 3

Exit [C]

Use the exit command to return to the previous prompt.

Syntax: exit

Example: exit

List [C]

Lists all the filter-item records represented in canonical and non-canonical form. It displays the following information about each filter item:

MAC address and address mask in canonical or non-canonical form
filter-item numbers
address type (source or destination)
filter-list action

Syntax: list

canonical
noncanonical

canonical

Lists all the filter-item records in a filter-list, giving the item numbers, the address type (SRC, DST), the MAC address in canonical form, and the address mask in canonical form. In addition gives the filter-list action.

Example: list canonical

non-canonical

Lists all the filter-item records in a filter-list, giving the item numbers, the address type (SRC, DST), the MAC address in non-canonical form and the address mask in non-canonical form. In addition gives the filter-list action.

Example: list non-canonical

Move [C]

Re-orders filter-items within the filter-list. The filter-item whose number is specified by filter-item-name1 is moved and renumbered to be just before filter-item-name2.

Syntax: move filter-item-name1 filter-item-name2

Example: move 2 4

Set-Action [C]

Lets you set a filter-list to either include, exclude or tag (with a tag-number option). If one of the filter-items of the filter-list matches the contents of the packet being considered for filtering, the filter-list evaluates to this condition. The default is include.

Syntax: set-action INCLUDE or EXCLUDE or TAG tag-number

Example: set-action exclude

[Top] [Prev] [Next] [Bottom]