[j-nsp] RE : ALS on Juniper
Ben Dale
bdale at comlinx.com.au
Tue Jun 28 18:31:35 EDT 2011
On 29/06/2011, at 2:59 AM, Alex wrote:
> You can simulate it with source MAC filtering: allow fake MAC in and deny everything else.
> HTH
> Rgds
> Alex
Sorry to hijack this thread a bit, but this seems problematic on EX - I've been trying filter OAM PDUs on an EX in order to simulate just that, and I don't seem to get anywhere:
bdale at EX-East> show version
Hostname: EX-East
Model: ex3200-48p
JUNOS Base OS boot [10.4R5.5]
JUNOS Base OS Software Suite [10.4R5.5]
JUNOS Kernel Software Suite [10.4R5.5]
JUNOS Crypto Software Suite [10.4R5.5]
JUNOS Online Documentation [10.4R5.5]
JUNOS Enterprise Software Suite [10.4R5.5]
JUNOS Packet Forwarding Engine Enterprise Software Suite [10.4R5.5]
JUNOS Routing Software Suite [10.4R5.5]
JUNOS Web Management [10.4R5.5]
bdale at EX-East> show configuration firewall
family ethernet-switching {
filter UD-OAM {
term DROP-OAM {
from {
destination-mac-address {
01:80:c2:00:00:02/48;
}
ether-type oam;
}
then {
discard;
count FILTERED-OAM;
}
}
term ALL-ELSE {
then {
accept;
count TRAFFIC-HITS;
}
}
}
}
bdale at EX-East> show configuration interfaces ge-0/0/0
unit 0 {
family ethernet-switching {
filter {
input UD-OAM;
}
}
}
bdale at EX-East> show firewall filter UD-OAM
Counters:
Name Bytes Packets
FILTERED-OAM 0 0
TRAFFIC-HITS 931 7
Based on the rate of increase of the TRAFFIC-HITS counter (non-matched traffic) it looks like the input filter applied to a physical interface is seeing LLDP from the neighbouring switch, but not STP BPDUs or OAM traffic.
When I shift the filter from physical interface to the VLAN, I still get no hits on FILTERED-OAM, but TRAFFIC-HITS increases faster, indicating I'm probably now matching on BPDUs and LLDP. I've even tried a DENY-ALL on both the interface AND the VLAN, and LFM still stays up. Any thoughts?
RAS are you out there? You seem to have an unhealthy knowledge of EX firewall filters right? ; )
More information about the juniper-nsp
mailing list