cancel
Showing results for 
Search instead for 
Did you mean: 

Re: MAC Filtering

WF_DUB
New Contributor II

Hi Ben,

I'm running 08.0.95gt211 I just updated to this image file last week and that's when I noticed the issue. Is there a later one I should be on?

I went through 2 firmware updates to get to this one, don't really want to do more if I don't have to. I am not a network engineer so it was a bit stressful a couple of times. Would be a lot easier if the app, web interface, or GUI would just let me do an update and it loads everything automatically.

"Show Run" says I have a mac filter for port 11 

  • Looks like the mac filter is on for port 11 to only permit the mac address I gave (which is good). However, what if I wanted to clear this? 
  • I don't mind opening a support case, but last time I did I was told they don't support Lennar home owners anymore. Would you like me to submit one anyway?

2022-11-15_212148.png

2022-11-15_212242.png

 

3 REPLIES 3

Vásquez_Fer
Moderator
Moderator

Hi @WF_DUB  

Hope you are doing well ! 

If you want to revert the changes you applied basically you have to go to interface 1/1/11 and write No at the initial part of the command to remove the configuration from the ACL MAC applied.

ICX7250-24P Device>ena
ICX7250-24P Device#conf t
ICX7250-24P Device(config)#interface ethernet 1/1/11
ICX7250-24P Device(config-if-e1000-1/1/11)#no mac-access-group mf_1 in

There is also another way to perform Mac address filter on a specific port 

Example:

ICX7250-24P Device(config)#mac filter 1 permit 0050.56AB.ABD8 fffF.FFF.FFF ANY
ICX7250-24P Device(config)#mac filter 2 deny any any

ICX7250-24P Device(config)#interface ethernet 1/1/11
ICX7250-24P Device(config-if-e1000-1/1/11)#mac filter-group 1 to 2

Basically this will allow the assigned mac to be the only one that can go out and receive data and deny another mac address on the assigned port this configuration

https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-22E17C0E-6595-429...

Best Regards 

Fernando Vasquez 

WF_DUB
New Contributor II

This helps slightly, it does tell me how to remove the mac filter which is good to know. It also provides another avenue for applying one (quite an easier way too).

Can you explain why you recommend applying two mac filters to the port instead of just one? Meaning, in your example mac filter 1 permits a specific device. Then mac filter 2 denies any device., then you applied both of these mac filters to port 1/1/11.

Doesn't writing the below accomplish the same thing? Meaning, why do you need to "deny any any" if I am already writing to "permit" a specific address. I thought what I wrote below basically says to ONLY permit the mac address listed and therefor all other addresses are automatically denied.

  • ICX7250-24P Device(config)#mac filter 1 permit 0000.0006.3a4f ffff.ffff.ffff any
    ICX7250-24P Device(config)#interface ethernet 1/1/11
    ICX7250-24P Device(config-if-e1000-1/1/11)#mac access-group mf_1 in

Still, the GUI should allow this as it used to. It was fine when I was on image file 08.08, but once I went to 08.0.95 it went away. What image should I be on for my switch? I would like the GUI to show my mac lists correctly.

Hi @WF_DUB 

Hope you are doing well ! 

After checking the release notes on version 8095x + found that the Mac filter was modified to be Mac address access list  for that reason does not allow to see  the  MAC filters on the  GUI or create new Mac filters  since this feature is no longer available.

MAC address filter.PNG

This ACLs MACs would be only be visible through the CLI.

As you can see in the below picture you are going to see the MAC filter command was removed 

Mac filter.PNG

This is the new way to preform ACLs MAC filters on 8095x + versions 

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-28D251BE-8752-4F4C-96AA-14D...

If this feature is so important to you via GUI I would recommend the SPS8090mc version for you.

MAC filter is a configuration in sequence therefore, if you do not apply the deny any any option, it will allow any device to use this port (assuming that what you want is to configure that only 1 device is allowed per port)

https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-22E17C0E-6595-429...

This is a example I crate a MAC filter with a specific MAC address  ( I did not add the deny any any ) and connect a PC ( with a different MAC )  to my switch and allow me ping ( sent data ) to the IP address as you can see '1'  

once I applied the deny any any on the Switch '2'  I say that it is not allowed that another device that is not in the filter (configured) can connect or have connectivity to my switch.

PC MAc 0050.56abab.d8

Config:

mac filter 1 permit 0051.56ab.abd8 ffff.ffff.ffff any
mac filter 2 deny any any

tempsnip.png

Best regards 

Fernando Vasquez