[j-nsp] MAC filter on EX switches
Eduardo Schoedler
listas at esds.com.br
Wed Dec 9 14:46:30 EST 2015
Aaron,
in this example, can you confirm if the mac-address is not learned by the
switch?
Thanks.
Em quarta-feira, 9 de dezembro de 2015, Aaron <aaron1 at gvtc.com> escreveu:
>
> I was unable to find an example in that web page and others I just tried to
> look for online ... an example that would deny only one mac and allow all
> others... which I believe is what Tim was looking to accomplish. I just
> dug
> into my notes and tried this... seems to make sense to me, BUT USE WITH
> CAUTION please Tim, et al, as I haven't tested it and don't know the full
> effects of it yet... plus I'm fairly new to the Junos world...so...
>
> someone more experienced than me please let us know if there is a better
> way
> to accomplish such a scenario.
>
>
> Set mode...
>
> set firewall family ethernet-switching filter deny-a-mac term term1 from
> source-mac-address aa:bb:cc:dd:ee:ff/48
> set firewall family ethernet-switching filter deny-a-mac term term1 then
> discard
> set firewall family ethernet-switching filter deny-a-mac term term2 then
> accept
>
> set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
> deny-a-mac
>
> ----------------------------------------------------------------------------
> -----------------
> Stanza mode, or whatever it's called...
>
> gvtc at eng-lab-ex4550-1# show | compare
> [edit interfaces]
> + ge-0/0/11 {
> + unit 0 {
> + family ethernet-switching {
> + filter {
> + input deny-a-mac;
> + }
> + }
> + }
> + }
> [edit]
> + firewall {
> + family ethernet-switching {
> + filter deny-a-mac {
> + term term1 {
> + from {
> + source-mac-address {
> + aa:bb:cc:dd:ee:ff/48;
> + }
> + }
> + then discard;
> + }
> + term term2 {
> + then accept;
> + }
> + }
> + }
> + }
>
> {master:0}[edit]
> gvtc at eng-lab-ex4550-1# commit
> configuration check succeeds
> commit complete
>
> {master:0}[edit]
>
>
>
> Aaron
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net
> <javascript:;>] On Behalf Of
> Muhammad Atif Jauhar
> Sent: Wednesday, December 09, 2015 9:55 AM
> To: Tim St. Pierre
> Cc: Juniper List
> Subject: Re: [j-nsp] MAC filter on EX switches
>
> Hi Tim,
> Check bellow link may it help you.
>
>
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
> y-protect-from-snooping-database-attack.html#/
>
> Regards,
> Atif.
> On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net
> <javascript:;>> wrote:
>
> > Hello list,
> >
> > Does anyone know if it's possible to configure an EX switch, such as
> > an EX
> > 2200 to filter ingress based on MAC address?
> >
> > It's important that the switch just drop disallowed MAC addresses, but
> > not shut down the port. We have a network device that is sporadically
> > using the wrong mac address as the source, and when it goes into a
> > Cisco switch at a peering exchange, they shutdown our port for half an
> > hour because of the cisco MAC security.
> >
> > We would like to put an EX in there to filter it while we figure out
> > what's causing it.
> >
> > Thanks!
> >
> >
> > --
> > Tim St. Pierre
> > System Operator
> > Communicate Freely
> > www.communicatefreely.net
> > 289-225-1220 x5101
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Eduardo Schoedler
More information about the juniper-nsp
mailing list