1 configuring layer-2 address filters, 2 configuring layer-2 port-to-address lock filters, Configuring layer-2 address filters -7 – Riverstone Networks WICT1-12 User Manual

Riverstone Networks RS Switch Router User Guide Release 8.0 25-7

Security Configuration

Layer-2 Security Filters

Static entry filters

These filters allow or force traffic to go to a set of destination ports based on a frame's
source MAC address, destination MAC address, or both source and destination MAC
addresses in flow bridging mode. Static entries are always configured and applied at
the input port.

Secure port filters

A secure filter shuts down access to the RS based on MAC addresses. All packets
received by a port are dropped. When combined with static entries, however, these
filters can be used to drop all received traffic but allow some frames to go through.

25.2.1

Configuring Layer-2 Address Filters

If you want to control access to a source or destination on a per-MAC address basis, you can configure an address filter.
Address filters are always configured and applied to the input port. You can set address filters on the following:

•

A source MAC address, which filters out any frame coming from a specific source MAC address

•

A destination MAC address, which filters out any frame destined to specific destination MAC
address

•

A flow, which filters out any frame coming from a specific source MAC address that is also destined
to a specific destination MAC address

To configure Layer-2 address filters, enter the following commands in Configure mode:

25.2.2

Configuring Layer-2 Port-to-Address Lock Filters

Port address lock filters allow you to bind or “lock” specific source MAC addresses to a port or set of ports. Once a
port is locked, only the specified source MAC address is allowed to connect to the locked port and the specified source
MAC address is not allowed to connect to any other ports.

To configure Layer-2 port address lock filters, enter the following commands in Configure mode:

Configure a source MAC based address
filter.

filters add address-filter name

<name>

source-mac

<MACaddr>

|any

source-mac-mask

<mask>

|any

vlan

<VLAN-num>

|any in-port-list

<port-list>

Configure a destination MAC based
address filter.

filters add address-filter name

<name>

dest-mac

<MACaddr>

|any dest-mac-mask

<mask>

vlan

<VLAN-num>

|any in-port-list

<port-list>

Configure a Layer-2 flow address filter.

filters add address-filter name

<name>

source-mac

<MACaddr>

|any source-mac-mask

<mask>

dest-mac

<MACaddr>

|any dest-mac-mask

<mask>

vlan

<VLAN-num>

|any in-port-list

<port-list>

Configure a port address lock filter.

filters add port-address-lock name

<name>

source-mac

<MACaddr>

vlan

<VLAN-num>

in-port-list

<port-list>