[j-nsp] MAC filter on EX switches

Wed Dec 9 12:38:11 EST 2015

I was unable to find an example in that web page and others I just tried to
look for online ... an example that would deny only one mac and allow all
others... which I believe is what Tim was looking to accomplish.  I just dug
into my notes and tried this... seems to make sense to me, BUT USE WITH
CAUTION please Tim, et al, as I haven't tested it and don't know the full
effects of it yet... plus I'm fairly new to the Junos world...so...  

someone more experienced than me please let us know if there is a better way
to accomplish such a scenario.

Set mode...

set firewall family ethernet-switching filter deny-a-mac term term1 from
source-mac-address aa:bb:cc:dd:ee:ff/48
set firewall family ethernet-switching filter deny-a-mac term term1 then
discard
set firewall family ethernet-switching filter deny-a-mac term term2 then
accept

set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
deny-a-mac
----------------------------------------------------------------------------
-----------------
Stanza mode, or whatever it's called...

gvtc at eng-lab-ex4550-1# show | compare
[edit interfaces]
+   ge-0/0/11 {
+       unit 0 {
+           family ethernet-switching {
+               filter {
+                   input deny-a-mac;
+               }
+           }
+       }
+   }
[edit]
+  firewall {
+      family ethernet-switching {
+          filter deny-a-mac {
+              term term1 {
+                  from {
+                      source-mac-address {
+                          aa:bb:cc:dd:ee:ff/48;
+                      }
+                  }
+                  then discard;
+              }
+              term term2 {
+                  then accept;
+              }
+          }
+      }
+  }

{master:0}[edit]
gvtc at eng-lab-ex4550-1# commit
configuration check succeeds
commit complete

{master:0}[edit]

Aaron

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Muhammad Atif Jauhar
Sent: Wednesday, December 09, 2015 9:55 AM
To: Tim St. Pierre
Cc: Juniper List
Subject: Re: [j-nsp] MAC filter on EX switches

Hi Tim,
Check bellow link may it help you.

https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
y-protect-from-snooping-database-attack.html#/

Regards,
Atif.
On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net> wrote:

> Hello list,
>
> Does anyone know if it's possible to configure an EX switch, such as 
> an EX
> 2200 to filter ingress based on MAC address?
>
> It's important that the switch just drop disallowed MAC addresses, but 
> not shut down the port.  We have a network device that is sporadically 
> using the wrong mac address as the source, and when it goes into a 
> Cisco switch at a peering exchange, they shutdown our port for half an 
> hour because of the cisco MAC security.
>
> We would like to put an EX in there to filter it while we figure out 
> what's causing it.
>
> Thanks!
>
>
> --
> Tim St. Pierre
> System Operator
> Communicate Freely
> www.communicatefreely.net
> 289-225-1220 x5101
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp