This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Re: MAC Filtering

WF_DUB
New Contributor II

‎11-15-2022 09:19 PM - edited ‎11-15-2022 09:25 PM

Hi Ben,

I'm running 08.0.95gt211 I just updated to this image file last week and that's when I noticed the issue. Is there a later one I should be on?

I went through 2 firmware updates to get to this one, don't really want to do more if I don't have to. I am not a network engineer so it was a bit stressful a couple of times. Would be a lot easier if the app, web interface, or GUI would just let me do an update and it loads everything automatically.

"Show Run" says I have a mac filter for port 11 

  • Looks like the mac filter is on for port 11 to only permit the mac address I gave (which is good). However, what if I wanted to clear this? 
  • I don't mind opening a support case, but last time I did I was told they don't support Lennar home owners anymore. Would you like me to submit one anyway?

2022-11-15_212148.png

2022-11-15_212242.png

 

0 Kudos
3 REPLIES 3

Vásquez_Fer
Moderator
Moderator

‎11-16-2022 07:26 AM - edited ‎11-16-2022 07:40 AM

Hi @WF_DUB  

Hope you are doing well ! 

If you want to revert the changes you applied basically you have to go to interface 1/1/11 and write No at the initial part of the command to remove the configuration from the ACL MAC applied.

ICX7250-24P Device>ena
ICX7250-24P Device#conf t
ICX7250-24P Device(config)#interface ethernet 1/1/11
ICX7250-24P Device(config-if-e1000-1/1/11)#no mac-access-group mf_1 in

There is also another way to perform Mac address filter on a specific port 

Example:

ICX7250-24P Device(config)#mac filter 1 permit 0050.56AB.ABD8 fffF.FFF.FFF ANY
ICX7250-24P Device(config)#mac filter 2 deny any any

ICX7250-24P Device(config)#interface ethernet 1/1/11
ICX7250-24P Device(config-if-e1000-1/1/11)#mac filter-group 1 to 2

Basically this will allow the assigned mac to be the only one that can go out and receive data and deny another mac address on the assigned port this configuration

https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-22E17C0E-6595-429...

Best Regards 

Fernando Vasquez 

0 Kudos

WF_DUB
New Contributor II
In response to Vásquez_Fer

‎11-16-2022 06:27 PM - edited ‎11-16-2022 10:24 PM

This helps slightly, it does tell me how to remove the mac filter which is good to know. It also provides another avenue for applying one (quite an easier way too).

Can you explain why you recommend applying two mac filters to the port instead of just one? Meaning, in your example mac filter 1 permits a specific device. Then mac filter 2 denies any device., then you applied both of these mac filters to port 1/1/11.

Doesn't writing the below accomplish the same thing? Meaning, why do you need to "deny any any" if I am already writing to "permit" a specific address. I thought what I wrote below basically says to ONLY permit the mac address listed and therefor all other addresses are automatically denied.

  • ICX7250-24P Device(config)#mac filter 1 permit 0000.0006.3a4f ffff.ffff.ffff any
    ICX7250-24P Device(config)#interface ethernet 1/1/11
    ICX7250-24P Device(config-if-e1000-1/1/11)#mac access-group mf_1 in

Still, the GUI should allow this as it used to. It was fine when I was on image file 08.08, but once I went to 08.0.95 it went away. What image should I be on for my switch? I would like the GUI to show my mac lists correctly.

0 Kudos

Vásquez_Fer
Moderator
Moderator
In response to WF_DUB

‎11-17-2022 05:07 AM - edited ‎11-17-2022 07:27 AM

Hi @WF_DUB 

Hope you are doing well ! 

After checking the release notes on version 8095x + found that the Mac filter was modified to be Mac address access list  for that reason does not allow to see  the  MAC filters on the  GUI or create new Mac filters  since this feature is no longer available.

MAC address filter.PNG

This ACLs MACs would be only be visible through the CLI.

As you can see in the below picture you are going to see the MAC filter command was removed 

Mac filter.PNG

This is the new way to preform ACLs MAC filters on 8095x + versions 

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-28D251BE-8752-4F4C-96AA-14D...

If this feature is so important to you via GUI I would recommend the SPS8090mc version for you.

MAC filter is a configuration in sequence therefore, if you do not apply the deny any any option, it will allow any device to use this port (assuming that what you want is to configure that only 1 device is allowed per port)

https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-22E17C0E-6595-429...

This is a example I crate a MAC filter with a specific MAC address  ( I did not add the deny any any ) and connect a PC ( with a different MAC )  to my switch and allow me ping ( sent data ) to the IP address as you can see '1'  

once I applied the deny any any on the Switch '2'  I say that it is not allowed that another device that is not in the filter (configured) can connect or have connectivity to my switch.

PC MAc 0050.56abab.d8

Config:

mac filter 1 permit 0051.56ab.abd8 ffff.ffff.ffff any
mac filter 2 deny any any

tempsnip.png

Best regards 

Fernando Vasquez

0 Kudos
Labels
Copyright © 2024 Khoros, LLC