[j-nsp] Etherchannel Cisco - Juniper and firewall filter

Niall Donaghy niall.donaghy at geant.org
Fri Sep 9 16:44:54 EDT 2016 

Hi Lucio,

A few thoughts that occur to me:

	- Your configuration looks 100% correct; I am equally surprised it dropped traffic.
	- Is the Junos code in production and in lab the same?
	- Perhaps try the same filter in production but without the discard action. Check if the counter is working as expected.
	- You could try filtering out destination-address 224.0.0.10/32.

	- But ... why not just set EIGRP to passive on that interface, eg:

		C3750(config)#router eigrp <asn>
		C3750(config-router)#passive-interface <int>

Kind regards,
Niall

> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Valentini, Lucio
> Sent: 09 September 2016 15:37
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Etherchannel Cisco - Juniper and firewall filter
> 
> Hi there,
> 
> I  have a Juniper EX4200 connected through an etherchannel with a Cisco C3750; I noticed (with the "monitor traffic interface ae1"
> command)
> the interface on the Juniper was receiving EIGRP Hello packets,  I applied this filter on the input in order to stop/drop these
packets,
> because as far as I know there is no EIGRP-speaking router on the other side of the Juniper switch.
> 
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp from destination-mac-address 01:00:5e:00:00:0a/48
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then discard
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then count eigrp-count
> set firewall family ethernet-switching filter block-Eigrp term traffic-allow then accept
> 
> information was taken from: https://kb.juniper.net/InfoCenter/index?page=content&id=KB14893&actp=search
> 
> where they say that the  mac-address 01:00:5e:00:00:0a/48 is used by EIGRP.
> 
> But instead of dropping only the EIGRP packets, the filter dropped traffic as well and the result was really bad.
> 
> Strangely enough, I tried to replicate the problem in the lab: I connected a Cisco router´s EIGRP Hello-generating interface to an
EX4200,
> configured the IP addresses and the ping worked fine both ways.
> 
> Any ideas about how to drop only Hello packets without causing disruption ?
> Thanks
> 
> Cheers
> 
> Lucio
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list