[j-nsp] Etherchannel Cisco - Juniper and firewall filter
Valentini, Lucio
Lucio.Valentini at siag.it
Fri Sep 9 10:36:46 EDT 2016
Hi there,
I have a Juniper EX4200 connected through an etherchannel with a Cisco C3750; I noticed (with the "monitor traffic interface ae1" command)
the interface on the Juniper was receiving EIGRP Hello packets, I applied this filter on the input in order to stop/drop these packets, because as far as I know there is no EIGRP-speaking router on the other side of the Juniper switch.
set firewall family ethernet-switching filter block-Eigrp term block-Eigrp from destination-mac-address 01:00:5e:00:00:0a/48
set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then discard
set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then count eigrp-count
set firewall family ethernet-switching filter block-Eigrp term traffic-allow then accept
information was taken from: https://kb.juniper.net/InfoCenter/index?page=content&id=KB14893&actp=search
where they say that the mac-address 01:00:5e:00:00:0a/48 is used by EIGRP.
But instead of dropping only the EIGRP packets, the filter dropped traffic as well and the result was really bad.
Strangely enough, I tried to replicate the problem in the lab: I connected a Cisco router´s EIGRP Hello-generating interface to an EX4200, configured the IP addresses and the ping worked fine both ways.
Any ideas about how to drop only Hello packets without causing disruption ?
Thanks
Cheers
Lucio
More information about the juniper-nsp
mailing list