[j-nsp] EX Switches - Internet Exchange Points

Paul Stewart paul at paulstewart.org
Fri Mar 26 09:10:47 EDT 2010 

Hi there..

I just wanted to follow up on this - I'd open a case at JTAC but honestly
have no idea where to get started with them yet...;)

So, the MAC filtering worked for one of the exchange points yesterday ...
then late last night one of our upstream providers dropped off.  With the
upstream provider I've asked them for port security logs so I can start
hunting for MAC's they are seeing .... this will hopefully provide a clue.

Is there a way in a filter to log denied MAC addresses?  Snippet looks like
this:

family ethernet-switching {
    filter core2_peering_filter {
        term expected_mac_address {
            from {
                source-mac-address {
                    00:0b:45:b6:f5:00;
                }
            }
            then accept;
        }
        term block {
            then discard;
        }
    }

I tried to add "then discard log" to the term block but I get:

  'filter'
    Referenced filter 'core1_peering_filter' can not be used as log not
supported on egress
error: configuration check-out failed


Thanks,

Paul


-----Original Message-----
From: Richard A Steenbergen [mailto:ras at e-gerbil.net] 
Sent: Thursday, March 25, 2010 8:41 PM
To: Paul Stewart
Cc: 'jnsp'
Subject: Re: [j-nsp] EX Switches - Internet Exchange Points

On Thu, Mar 25, 2010 at 08:01:36PM -0400, Paul Stewart wrote:
> Thanks Richard...
> 
> The MAC filtering idea proposed earlier by another friendly person was
> quite helpful and solved the issue.  That Cisco MAC is actually what
> we wanted to see however other MAC's were showing up from the
> intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 -
> EX4200 in this particular case)....
> 
> Solved now thankfully - we like to be friendly to our peers at
> exchange points and I was getting worried ;)

What were the other MACs that you didn't want leaked? The MAC filter is 
a fine workaround, but if your EX's are leaking things they shouldn't be 
I'd like to see that get addressed too. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list