[j-nsp] MAC filter on EX switches

Eduardo Schoedler listas at esds.com.br
Wed Dec 9 21:57:04 EST 2015


Aaron,

Sorry, correct command is:

show ethernet-switching table

After you apply the filter, it is still in the table?

Thank you.

Em quarta-feira, 9 de dezembro de 2015, Eduardo Schoedler <
listas at esds.com.br> escreveu:

> If you do "show arp no-resolve", does it shows the mac-address?
>
> --
> Eduardo
>
> 2015-12-09 18:03 GMT-02:00 Aaron <aaron1 at gvtc.com <javascript:;>>:
> > I’m not sure what you mean Eduardo.
> >
> >
> >
> > I just typed that mac address into the firewall filter as a test.  I did
> not
> > test this to see if it would really stop traffic.
> >
> >
> >
> > Aaron
> >
> >
> >
> > From: Eduardo Schoedler [mailto:listas at esds.com.br <javascript:;>]
> > Sent: Wednesday, December 09, 2015 1:47 PM
> > To: Aaron
> >
> >
> > Cc: Juniper List
> > Subject: Re: [j-nsp] MAC filter on EX switches
> >
> >
> >
> > Aaron,
> >
> >
> >
> > in this example, can you confirm if the mac-address is not learned by the
> > switch?
> >
> >
> >
> > Thanks.
> >
> >
> > Em quarta-feira, 9 de dezembro de 2015, Aaron <aaron1 at gvtc.com
> <javascript:;>> escreveu:
> >
> >
> > I was unable to find an example in that web page and others I just tried
> to
> > look for online ... an example that would deny only one mac and allow all
> > others... which I believe is what Tim was looking to accomplish.  I just
> dug
> > into my notes and tried this... seems to make sense to me, BUT USE WITH
> > CAUTION please Tim, et al, as I haven't tested it and don't know the full
> > effects of it yet... plus I'm fairly new to the Junos world...so...
> >
> > someone more experienced than me please let us know if there is a better
> way
> > to accomplish such a scenario.
> >
> >
> > Set mode...
> >
> > set firewall family ethernet-switching filter deny-a-mac term term1 from
> > source-mac-address aa:bb:cc:dd:ee:ff/48
> > set firewall family ethernet-switching filter deny-a-mac term term1 then
> > discard
> > set firewall family ethernet-switching filter deny-a-mac term term2 then
> > accept
> >
> > set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
> > deny-a-mac
> >
> ----------------------------------------------------------------------------
> > -----------------
> > Stanza mode, or whatever it's called...
> >
> > gvtc at eng-lab-ex4550-1# show | compare
> > [edit interfaces]
> > +   ge-0/0/11 {
> > +       unit 0 {
> > +           family ethernet-switching {
> > +               filter {
> > +                   input deny-a-mac;
> > +               }
> > +           }
> > +       }
> > +   }
> > [edit]
> > +  firewall {
> > +      family ethernet-switching {
> > +          filter deny-a-mac {
> > +              term term1 {
> > +                  from {
> > +                      source-mac-address {
> > +                          aa:bb:cc:dd:ee:ff/48;
> > +                      }
> > +                  }
> > +                  then discard;
> > +              }
> > +              term term2 {
> > +                  then accept;
> > +              }
> > +          }
> > +      }
> > +  }
> >
> > {master:0}[edit]
> > gvtc at eng-lab-ex4550-1# commit
> > configuration check succeeds
> > commit complete
> >
> > {master:0}[edit]
> >
> >
> >
> > Aaron
> >
> >
> > -----Original Message-----
> > From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net
> <javascript:;>] On Behalf Of
> > Muhammad Atif Jauhar
> > Sent: Wednesday, December 09, 2015 9:55 AM
> > To: Tim St. Pierre
> > Cc: Juniper List
> > Subject: Re: [j-nsp] MAC filter on EX switches
> >
> > Hi Tim,
> > Check bellow link may it help you.
> >
> >
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
> > y-protect-from-snooping-database-attack.html#/
> >
> > Regards,
> > Atif.
> > On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net
> <javascript:;>> wrote:
> >
> >> Hello list,
> >>
> >> Does anyone know if it's possible to configure an EX switch, such as
> >> an EX
> >> 2200 to filter ingress based on MAC address?
> >>
> >> It's important that the switch just drop disallowed MAC addresses, but
> >> not shut down the port.  We have a network device that is sporadically
> >> using the wrong mac address as the source, and when it goes into a
> >> Cisco switch at a peering exchange, they shutdown our port for half an
> >> hour because of the cisco MAC security.
> >>
> >> We would like to put an EX in there to filter it while we figure out
> >> what's causing it.
> >>
> >> Thanks!
> >>
> >>
> >> --
> >> Tim St. Pierre
> >> System Operator
> >> Communicate Freely
> >> www.communicatefreely.net
> >> 289-225-1220 x5101
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net <javascript:;>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> > --
> >
> > Eduardo Schoedler
> >
> >
>
>
>
> --
> Eduardo Schoedler
>


-- 
Eduardo Schoedler


More information about the juniper-nsp mailing list