[j-nsp] MAC filter on EX switches

Aaron aaron1 at gvtc.com
Thu Dec 10 16:45:48 EST 2015 

no

-----Original Message-----
From: Eduardo Schoedler [mailto:listas at esds.com.br] 
Sent: Wednesday, December 09, 2015 4:21 PM
To: Aaron
Cc: Juniper List
Subject: Re: [j-nsp] MAC filter on EX switches

If you do "show arp no-resolve", does it shows the mac-address?

--
Eduardo

2015-12-09 18:03 GMT-02:00 Aaron <aaron1 at gvtc.com>:
> I’m not sure what you mean Eduardo.
>
>
>
> I just typed that mac address into the firewall filter as a test.  I 
> did not test this to see if it would really stop traffic.
>
>
>
> Aaron
>
>
>
> From: Eduardo Schoedler [mailto:listas at esds.com.br]
> Sent: Wednesday, December 09, 2015 1:47 PM
> To: Aaron
>
>
> Cc: Juniper List
> Subject: Re: [j-nsp] MAC filter on EX switches
>
>
>
> Aaron,
>
>
>
> in this example, can you confirm if the mac-address is not learned by 
> the switch?
>
>
>
> Thanks.
>
>
> Em quarta-feira, 9 de dezembro de 2015, Aaron <aaron1 at gvtc.com> escreveu:
>
>
> I was unable to find an example in that web page and others I just 
> tried to look for online ... an example that would deny only one mac 
> and allow all others... which I believe is what Tim was looking to 
> accomplish.  I just dug into my notes and tried this... seems to make 
> sense to me, BUT USE WITH CAUTION please Tim, et al, as I haven't 
> tested it and don't know the full effects of it yet... plus I'm fairly new to the Junos world...so...
>
> someone more experienced than me please let us know if there is a 
> better way to accomplish such a scenario.
>
>
> Set mode...
>
> set firewall family ethernet-switching filter deny-a-mac term term1 
> from source-mac-address aa:bb:cc:dd:ee:ff/48 set firewall family 
> ethernet-switching filter deny-a-mac term term1 then discard set 
> firewall family ethernet-switching filter deny-a-mac term term2 then 
> accept
>
> set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input 
> deny-a-mac
> ----------------------------------------------------------------------
> ------
> -----------------
> Stanza mode, or whatever it's called...
>
> gvtc at eng-lab-ex4550-1# show | compare
> [edit interfaces]
> +   ge-0/0/11 {
> +       unit 0 {
> +           family ethernet-switching {
> +               filter {
> +                   input deny-a-mac;
> +               }
> +           }
> +       }
> +   }
> [edit]
> +  firewall {
> +      family ethernet-switching {
> +          filter deny-a-mac {
> +              term term1 {
> +                  from {
> +                      source-mac-address {
> +                          aa:bb:cc:dd:ee:ff/48;
> +                      }
> +                  }
> +                  then discard;
> +              }
> +              term term2 {
> +                  then accept;
> +              }
> +          }
> +      }
> +  }
>
> {master:0}[edit]
> gvtc at eng-lab-ex4550-1# commit
> configuration check succeeds
> commit complete
>
> {master:0}[edit]
>
>
>
> Aaron
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On 
> Behalf Of Muhammad Atif Jauhar
> Sent: Wednesday, December 09, 2015 9:55 AM
> To: Tim St. Pierre
> Cc: Juniper List
> Subject: Re: [j-nsp] MAC filter on EX switches
>
> Hi Tim,
> Check bellow link may it help you.
>
> https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-s
> ecurit y-protect-from-snooping-database-attack.html#/
>
> Regards,
> Atif.
> On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <tim at communicatefreely.net> wrote:
>
>> Hello list,
>>
>> Does anyone know if it's possible to configure an EX switch, such as 
>> an EX
>> 2200 to filter ingress based on MAC address?
>>
>> It's important that the switch just drop disallowed MAC addresses, 
>> but not shut down the port.  We have a network device that is 
>> sporadically using the wrong mac address as the source, and when it 
>> goes into a Cisco switch at a peering exchange, they shutdown our 
>> port for half an hour because of the cisco MAC security.
>>
>> We would like to put an EX in there to filter it while we figure out 
>> what's causing it.
>>
>> Thanks!
>>
>>
>> --
>> Tim St. Pierre
>> System Operator
>> Communicate Freely
>> www.communicatefreely.net
>> 289-225-1220 x5101
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>
> Eduardo Schoedler
>
>



--
Eduardo Schoedler

More information about the juniper-nsp mailing list