Denied Macs

The following scenario shows how to configure the hardware switch so that it drops all packets from a given MAC address.

Test Switch Denied List

Description

In this scenario, the hardware switch is configured to deny all traffic from DUT1’s eth1 MAC address (DE:AD:BE:EF:6C:21) but not from eth0.

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 192.168.100.2/24
set interfaces ethernet eth0 vrf A
set interfaces ethernet eth1 address 192.168.100.3/24
set interfaces ethernet eth1 vrf B
set system vrf A
set system vrf B

Step 2: Set the following configuration in DUT0:

set interfaces bridge br0 address 192.168.100.1/24
set interfaces bridge br0 hardware-offload eth0 denied-macs DE:AD:BE:EF:6C:21
set interfaces ethernet eth0p0 bridge-group bridge br0

Step 3: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 vrf A count 1 size 56 timeout 1

Show output

ping: Warning: source address might be selected on device other than A.
PING 192.168.100.1 (192.168.100.1) from 192.168.100.2 A: 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=1.33 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.330/1.330/1.330/0.000 ms

Step 4: Expect a failure in the following command: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 vrf B count 1 size 56 timeout 1

Show output

ping: Warning: source address might be selected on device other than B.
PING 192.168.100.1 (192.168.100.1) from 192.168.100.3 B: 56(84) bytes of data.

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 5: Run command interfaces bridge br0 show fdb at DUT0 and check if output contains the following tokens:

DE:AD:BE:EF:6C:20

Show output

---------------------------------------------------
bridge  port    mac                state      flags
---------------------------------------------------
br0     eth0p0  de:ad:be:ef:6c:20
br0     eth0p0  00:a0:26:0e:00:90  permanent
br0     eth0p0  de:ad:be:ef:6c:20             self
br0     br0     33:33:00:00:00:01  permanent  self
br0     br0     33:33:00:00:00:02  permanent  self
br0     br0     01:00:5e:00:00:6a  permanent  self
br0     br0     33:33:00:00:00:6a  permanent  self
br0     br0     01:00:5e:00:00:01  permanent  self
br0     br0     33:33:ff:65:67:7e  permanent  self
br0     br0     33:33:ff:00:00:00  permanent  self
br0     br0     00:a0:26:0e:00:90  permanent

Step 6: Run command interfaces bridge br0 show fdb at DUT0 and check if output does not contain the following tokens:

DE:AD:BE:EF:6C:21

Show output

---------------------------------------------------
bridge  port    mac                state      flags
---------------------------------------------------
br0     eth0p0  de:ad:be:ef:6c:20
br0     eth0p0  00:a0:26:0e:00:90  permanent
br0     eth0p0  de:ad:be:ef:6c:20             self
br0     br0     33:33:00:00:00:01  permanent  self
br0     br0     33:33:00:00:00:02  permanent  self
br0     br0     01:00:5e:00:00:6a  permanent  self
br0     br0     33:33:00:00:00:6a  permanent  self
br0     br0     01:00:5e:00:00:01  permanent  self
br0     br0     33:33:ff:65:67:7e  permanent  self
br0     br0     33:33:ff:00:00:00  permanent  self
br0     br0     00:a0:26:0e:00:90  permanent

---