Filter
Top Products
320 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Locking a port to restrict addresses
9
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a
specific address value and a comparison mask, or the keyword any to filter on all MAC addresses.
Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the
address aabb.ccdd.eeff, use the mask ffff.0000.0000. The filter matches on all MAC addresses
that contain aabb as the first two bytes and accepts any value for the remaining bytes of the MAC
address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC
addresses. If no match is found, the implicit action is to authenticate the client.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules
are the same as those for the <src-mac> <mask> | any parameter. Note that the 802.1x
Authentication filter (dot1x auth-filter) does not use the destination MAC address in the MAC
address filter.
The <filter-num> command identifies the MAC address filter. The maximum number of supported
MAC address filters is determined by the mac-filter-sys default or configured value.
The dot1x auth-filter <filter-list> command binds MAC address filters to a port.
The following rules apply when using the dot1x auth-filter command:
• When you add filters to or modify the dot1x auth-filter, the system clears all 802.1X sessions
on the port. Consequently, all users that are logged in will need to be re-authenticated.
• The maximum number of filters that can be bound to a port is limited by the mac-filter-port
default or configured value.
• The filters must be applied as a group. For example, if you want to apply four filters to an
interface, they must all appear on the same command line.
• You cannot add or remove individual filters in the group. To add or remove a filter on an
interface, apply the filter group again containing all the filters you want to apply to the port.
If you apply a filter group to a port that already has a filter group applied, the older filter group is
replaced by the new filter group.
Locking a port to restrict addresses
Address-lock filters allow you to limit the number of devices that have access to a specific port.
Access violations are reported as SNMP traps. This feature is disabled by default. A maximum of
2048 entries can be specified for access. The default address count is eight.
Configuration notes
• Static trunk ports and link-aggregation configured ports do not support the lock-address
option.
• The MAC port security feature is a more robust version of this feature. Refer to Chapter 35,
“Using the MAC Port Security Feature”.
Command syntax
To enable address locking for port 2 and place a limit of 15 entries, enter a command such as the
following.
PowerConnect(config)#lock e 2 addr 15