[j-nsp] MAC filter on EX switches

Eduardo Schoedler listas at esds.com.br
Wed Dec 9 17:20:41 EST 2015 

If you do "show arp no-resolve", does it shows the mac-address?

--
Eduardo

2015-12-09 18:03 GMT-02:00 Aaron <aaron1 at gvtc.com>:
> I’m not sure what you mean Eduardo.
>
>
>
> I just typed that mac address into the firewall filter as a test.  I did not
> test this to see if it would really stop traffic.
>
>
>
> Aaron
>
>
>
> From: Eduardo Schoedler [mailto:listas at esds.com.br]
> Sent: Wednesday, December 09, 2015 1:47 PM
> To: Aaron
>
>
> Cc: Juniper List
> Subject: Re: [j-nsp] MAC filter on EX switches
>
>
>
> Aaron,
>
>
>
> in this example, can you confirm if the mac-address is not learned by the
> switch?
>
>
>
> Thanks.
>
>
> Em quarta-feira, 9 de dezembro de 2015, Aaron <aaron1 at gvtc.com> escreveu:
>
>
> I was unable to find an example in that web page and others I just tried to
> look for online ... an example that would deny only one mac and allow all
> others... which I believe is what Tim was looking to accomplish.  I just dug
> into my notes and tried this... seems to make sense to me, BUT USE WITH
> CAUTION please Tim, et al, as I haven't tested it and don't know the full
> effects of it yet... plus I'm fairly new to the Junos world...so...
>
> someone more experienced than me please let us know if there is a better way
> to accomplish such a scenario.
>
>
> Set mode...
>
> set firewall family ethernet-switching filter deny-a-mac term term1 from
> source-mac-address aa:bb:cc:dd:ee:ff/48
> set firewall family ethernet-switching filter deny-a-mac term term1 then
> discard
> set firewall family ethernet-switching filter deny-a-mac term term2 then
> accept
>
> set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
> deny-a-mac
> ----------------------------------------------------------------------------
> -----------------
> Stanza mode, or whatever it's called...
>
> gvtc at eng-lab-ex4550-1# show | compare
> [edit interfaces]
> +   ge-0/0/11 {
> +       unit 0 {
> +           family ethernet-switching {
> +               filter {
> +                   input deny-a-mac;
> +               }
> +           }
> +       }
> +   }
> [edit]
> +  firewall {
> +      family ethernet-switching {
> +          filter deny-a-mac {
> +              term term1 {
> +                  from {
> +                      source-mac-address {
> +                          aa:bb:cc:dd:ee:ff/48;
> +                      }
> +                  }
> +                  then discard;
> +              }
> +              term term2 {
> +                  then accept;
> +              }
> +          }
> +      }
> +  }
>
> {master:0}[edit]
> gvtc at eng-lab-ex4550-1# commit
> configuration check succeeds
> commit complete
>
> {master:0}[edit]
>
>
>
> Aaron
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Muhammad Atif Jauhar
> Sent: Wednesday, December 09, 2015 9:55 AM
> To: Tim St. Pierre
> Cc: Juniper List
> Subject: Re: [j-nsp] MAC filter on EX switches
>
> Hi Tim,
> Check bellow link may it help you.
>
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
> y-protect-from-snooping-database-attack.html#/
>
> Regards,
> Atif.
> On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net> wrote:
>
>> Hello list,
>>
>> Does anyone know if it's possible to configure an EX switch, such as
>> an EX
>> 2200 to filter ingress based on MAC address?
>>
>> It's important that the switch just drop disallowed MAC addresses, but
>> not shut down the port.  We have a network device that is sporadically
>> using the wrong mac address as the source, and when it goes into a
>> Cisco switch at a peering exchange, they shutdown our port for half an
>> hour because of the cisco MAC security.
>>
>> We would like to put an EX in there to filter it while we figure out
>> what's causing it.
>>
>> Thanks!
>>
>>
>> --
>> Tim St. Pierre
>> System Operator
>> Communicate Freely
>> www.communicatefreely.net
>> 289-225-1220 x5101
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>
> Eduardo Schoedler
>
>



-- 
Eduardo Schoedler

More information about the juniper-nsp mailing list