Dell FCX624-S Laptop User Manual


  Open as PDF
of 1494
 
PowerConnect B-Series FCX Configuration Guide 319
53-1002266-01
Defining MAC address filters
9
PowerConnect(config)#int ethernet 1
PowerConnect(config-if-e1000-1)#mac filter-group log-enable
PowerConnect(config-if-e1000-1)#int ethernet 3
PowerConnect(config-if-e1000-3)#mac filter-group log-enable
PowerConnect(config-if-e1000-3)#write memory
Syntax: [no] mac filter-group log-enable
MAC address filter override for 802.1X-enabled ports
The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X
devices to share the same physical port. For example, this feature enables you to connect a PC and
a non-802.1X device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on
the Dell PowerConnect device. The IP phone will bypass 802.1X authentication and the PC will
require 802.1X authentication.
To enable this feature, first create a MAC address filter, then bind it to an interface on which 802.1X
is enabled. The MAC address filter includes a mask that can match on any number of bytes in the
MAC address. The mask can eliminate the need to enter MAC addresses for all non-802.1X devices
connected to the Dell PowerConnect device, and the ports to which these devices are connected.
Configuration notes
This feature is supported on untagged, tagged, and dual-mode ports.
You can configure this feature on ports that have ACLs and MAC address filters defined.
Configuration syntax
To configure MAC address filtering on an 802.1X-enabled port, enter commands such as the
following.
PowerConnect#(config)#mac filter 1 permit 0050.04ab.9429 ffff.ffff.0000 any
PowerConnect#(config)#int e1/2
PowerConnect#(config-if-e1000-1/2)#dot1x auth-filter 1 3 to 5 10
The first line defines a MAC address filter that matches on the first four bytes (ffff.ffff.0000) of the
source MAC address 0050.04ab.9429, and any destination MAC address. The permit action
creates an 802.1X session in the FORCE AUTHORIZE state, meaning that the device is placed
unconditionally in the authorized state, bypassing 802.1X authentication and allowing all traffic
from the specified MAC address. If no match is found, the implicit action is to authenticate the
client.
The last line binds MAC address filters 1, 3, 4, 5, and 10 to interface 2.
Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask | any
Syntax: dot1x auth-filter <filter-list>
The permit | deny argument determines the action the software takes when a match occurs. In the
previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state,
meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X
authentication and allowing all traffic from the specified MAC address. The deny action creates an
802.1X session in the FORCE UNAUTHORIZE state, meaning that the device will never be
authorized, even if it has the appropriate credentials.