[j-nsp] MAC filter on EX switches

Tim St. Pierre tim at communicatefreely.net
Wed Dec 9 17:25:12 EST 2015 

Thanks for all the help everyone.  I didn't know firewall filters could 
apply to layer 2.

It actually doesn't matter if it ends up in the bridge table, as long as 
it doesn't go out the other side.  There is only one MAC address we want 
to pass.  The topology is MX5 -> Procera -> Exchange fabric.
We would put an EX between the Procera and the Exchange and only allow 
the MAC from the MX5 to pass.

I have an EX2200 that I may be able to test this on before we try it on 
the production network.

-Tim

On 2015-12-09 05:20 PM, Eduardo Schoedler wrote:
> If you do "show arp no-resolve", does it shows the mac-address?
>
> --
> Eduardo
>
> 2015-12-09 18:03 GMT-02:00 Aaron <aaron1 at gvtc.com>:
>> I’m not sure what you mean Eduardo.
>>
>>
>>
>> I just typed that mac address into the firewall filter as a test.  I did not
>> test this to see if it would really stop traffic.
>>
>>
>>
>> Aaron
>>
>>
>>
>> From: Eduardo Schoedler [mailto:listas at esds.com.br]
>> Sent: Wednesday, December 09, 2015 1:47 PM
>> To: Aaron
>>
>>
>> Cc: Juniper List
>> Subject: Re: [j-nsp] MAC filter on EX switches
>>
>>
>>
>> Aaron,
>>
>>
>>
>> in this example, can you confirm if the mac-address is not learned by the
>> switch?
>>
>>
>>
>> Thanks.
>>
>>
>> Em quarta-feira, 9 de dezembro de 2015, Aaron <aaron1 at gvtc.com> escreveu:
>>
>>
>> I was unable to find an example in that web page and others I just tried to
>> look for online ... an example that would deny only one mac and allow all
>> others... which I believe is what Tim was looking to accomplish.  I just dug
>> into my notes and tried this... seems to make sense to me, BUT USE WITH
>> CAUTION please Tim, et al, as I haven't tested it and don't know the full
>> effects of it yet... plus I'm fairly new to the Junos world...so...
>>
>> someone more experienced than me please let us know if there is a better way
>> to accomplish such a scenario.
>>
>>
>> Set mode...
>>
>> set firewall family ethernet-switching filter deny-a-mac term term1 from
>> source-mac-address aa:bb:cc:dd:ee:ff/48
>> set firewall family ethernet-switching filter deny-a-mac term term1 then
>> discard
>> set firewall family ethernet-switching filter deny-a-mac term term2 then
>> accept
>>
>> set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
>> deny-a-mac
>> ----------------------------------------------------------------------------
>> -----------------
>> Stanza mode, or whatever it's called...
>>
>> gvtc at eng-lab-ex4550-1# show | compare
>> [edit interfaces]
>> +   ge-0/0/11 {
>> +       unit 0 {
>> +           family ethernet-switching {
>> +               filter {
>> +                   input deny-a-mac;
>> +               }
>> +           }
>> +       }
>> +   }
>> [edit]
>> +  firewall {
>> +      family ethernet-switching {
>> +          filter deny-a-mac {
>> +              term term1 {
>> +                  from {
>> +                      source-mac-address {
>> +                          aa:bb:cc:dd:ee:ff/48;
>> +                      }
>> +                  }
>> +                  then discard;
>> +              }
>> +              term term2 {
>> +                  then accept;
>> +              }
>> +          }
>> +      }
>> +  }
>>
>> {master:0}[edit]
>> gvtc at eng-lab-ex4550-1# commit
>> configuration check succeeds
>> commit complete
>>
>> {master:0}[edit]
>>
>>
>>
>> Aaron
>>
>>
>> -----Original Message-----
>> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
>> Muhammad Atif Jauhar
>> Sent: Wednesday, December 09, 2015 9:55 AM
>> To: Tim St. Pierre
>> Cc: Juniper List
>> Subject: Re: [j-nsp] MAC filter on EX switches
>>
>> Hi Tim,
>> Check bellow link may it help you.
>>
>> https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
>> y-protect-from-snooping-database-attack.html#/
>>
>> Regards,
>> Atif.
>> On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net> wrote:
>>
>>> Hello list,
>>>
>>> Does anyone know if it's possible to configure an EX switch, such as
>>> an EX
>>> 2200 to filter ingress based on MAC address?
>>>
>>> It's important that the switch just drop disallowed MAC addresses, but
>>> not shut down the port.  We have a network device that is sporadically
>>> using the wrong mac address as the source, and when it goes into a
>>> Cisco switch at a peering exchange, they shutdown our port for half an
>>> hour because of the cisco MAC security.
>>>
>>> We would like to put an EX in there to filter it while we figure out
>>> what's causing it.
>>>
>>> Thanks!
>>>
>>>
>>> --
>>> Tim St. Pierre
>>> System Operator
>>> Communicate Freely
>>> www.communicatefreely.net
>>> 289-225-1220 x5101
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>> --
>>
>> Eduardo Schoedler
>>
>>
>
>

-- 
Tim St. Pierre
System Operator
Communicate Freely
www.communicatefreely.net
289-225-1220 x5101

More information about the juniper-nsp mailing list