This chapter describes how to use medium access control (MAC) for specifying packet filters to be applied to packets during processing. It includes the following sections:
Filters are a set of rules applied to a packet to determine how the packet should be handled during bridging. MAC filtering affects only bridged traffic.
| Note: | MAC Filtering is allowed on tunnel traffic. |
During the filtering process, packets are processed, filtered, or tagged during bridging. The actions are:
A MAC filter consists of the following objects:
You can filter incoming LLC traffic for the DLSw network by implementing MAC Filtering.
To set up a filter for LLC, use the Bridge Net number as the interface number for the filter. Determine the Bridge Net number by adding two to the number of interfaces configured for your router. Enter the list devices command at the Config> prompt, or enter configuration at the + prompt to see a list of interfaces.
In the following example, the Bridge Net number is 7.
Ifc 0 Ethernet CSR 81600, CSR2 80C00, vector 94 Ifc 1 WAN X.25 CSR 81620, CSR2 80D00, vector 93 Ifc 2 WAN X.25 CSR 81640, CSR2 80E00, vector 92 Ifc 3 WAN PPP CSR 381620, CSR2 380D00, vector 125 Ifc 4 WAN Frame Relay CSR 381640, CSR2 380E00, vector 124 Ifc 5 Token Ring CSR 600000, vector 95
When you set up a filter for the Bridge Net, for example, the router does not drop frames that match exclusive filters. Instead, it forwards those frames to the bridge.
You can specify some or all of the following parameters to create a filter:
The following parameters are used to construct an address-filter-item:
Each filter-item specifies an address type (either SOURCE or DESTINATION) to match against the type in the packet.
The address mask is a string of numbers entered in hex, which is used in comparing the packet's addresses. The mask is applied to the SOURCE or DESTINATION MAC address of the packet before comparing it against the specified MAC address.
The address mask must be of equal length to the MAC address and specifies the bytes that are to be logically ANDed with the bytes in the MAC address before the equality comparison to the specified MAC address is made. If no mask is specified, it is assumed to be all 1s.
The following parameters are used to construct a filter-list:
A filter-list is built from one or more filter-items. Each filter-list is given a unique name.
Applying a filter-list to a packet consists of comparing each filter-item in the order in which the filter-items were added to the list. If any filter-item in the list returns a TRUE condition then the filter-list will return its designated action.
The following parameters are used to construct a filter:
A filter is constructed by associating a group of filter-list names with an interface number and assigning an INPUT or OUTPUT designation. The application of a filter to a packet means that each of the associated filter-lists should be applied to packets being received (INPUT) or sent (OUTPUT) on the specified numbered interface.
When a filter evaluates a packet to an INCLUDE condition, the packet is forwarded. When a filter evaluates a packet to an EXCLUDE condition, the packet is dropped. When a filter evaluates to a TAG condition, the packet being considered is forwarded with a tag.
An additional parameter of each filter is the default action, which is the result of non-match for all of its filter-lists. This default action is INCLUDE. It can be set to INCLUDE, EXCLUDE, or TAG. In addition, if the default action is TAG, a tag value is also given.
The following list includes some uses of MAC filtering tags
Tags can also refer to "groups" in IP Tunnel. IP Tunnel end-points can belong to any number of groups, with packets assigned to a particular group through the tagging feature of MAC address filtering.