MAC address filters command syntax

To configure and apply a MAC address filter, enter commands such as the following.

device(config)# mac filter 1 deny 0000.0075.3676 ffff.0000.0000
device(config)# mac filter 2 deny any ffff.ffff.ffff ffff.ffff.ffff 
device(config)# mac filter 3 deny any 0180.c200.0000 ffff.ffff.fff0 
device(config)# mac filter 4 deny any 0000.0034.5678 ffff.ffff.ffff 
device(config)# mac filter 5 deny any 0000.0045.6789 ffff.ffff.ffff 
device(config)# mac filter 1024 permit any any
device(config)# int e 1
device(config-if-e1000-1)# mac filter-group 1 to 5 1024

These commands configure filter 1 to deny traffic with a source MAC address that begins with "3565" to any destination, and configure filters 2 through 5 to deny traffic with the specified destination MAC addresses. Filter 1024 permits all traffic that is not denied by any other filter.

Once you apply a MAC address filter to a port, the device drops all Ethernet traffic on the port that does not match a MAC permit filter on the port.

Syntax: [no] mac filter filter-num { permit | deny } [ src-mac mask | any ] [ dest-mac mask | any ]

You can configure up to 507 MAC filters for filter-num. The default value is 512.

The permit or deny argument determines the action the software takes when a match occurs.

The src-mac mask | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes. The filter accepts any value for the remaining bytes of the MAC address. If you specify any , do not specify a mask. In this case, the filter matches on all MAC addresses.

The dest-mac mask | any parameter specifies the destination MAC address. The syntax rules are the same as those for the src-mac mask | any parameter.

Syntax: no mac filter log-enable

Globally enables logging for filtered packets.

Syntax: no mac filter-group log-enable

Enables logging for filtered packets on a specific port.

Syntax: [no] mac filter-group filter-number [ to filter-number | filter-number ... ]

Applies MAC address filters to a port.

When applying the filter-group to the interface, specify each line to be applied separately or use the to keyword to apply a consecutive range of filter lines, for example, 1 3 to 8 10.

The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line.
You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port.
If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group.

When a MAC address filter is applied to or removed from an interface, a Syslog message such as the following is generated.

SYSLOG: <14>Jan 1 00:00:00 MAC Filter applied to port 1/1/2 by tester from telnet session (filter id=5 ). 
SYSLOG: <14>Jan 1 00:00:00 MAC Filter removed from port 1/1/2 by tester from telnet session (filter id=5 ).

The Syslog messages indicate that a MAC address filter was applied to the specified port by the specified user during the specified session type. Session type can be Console, Telnet, SSH, Web, SNMP, or others. The filter IDs that were added or removed are listed.