[j-nsp] R: Etherchannel Cisco - Juniper and firewall filter
Valentini, Lucio
Lucio.Valentini at siag.it
Mon Sep 12 08:27:54 EDT 2016
Hi folks,
it looks like the "[KB14893] Cisco EIGRP protocol and EX Switch configuration compatibility" is wrong.
Here they say:
If the VLAN on the EX Switch is configured for IGMP-snooping protocol, flooding of multicast hello packets will not happen. The EX Switch with IGMP-snoooping enabled will drop EIGRP hello packets and routers connected at interfaces will not be able to form adjacency.
NOTE: IGMP-snooping is enabled by default in JUNOS 9.3 software and later releases
[Cisco A] ---------- Port 1 (VLAN A)-- [EX switch]--(VLAN A) Port 2 ------------ [Cisco B]
For Cisco's EIGRP protocol to work using the EX Switch in above topology (transit mode) IGMP-Snooping protocol has to be disabled on the EX Switch
To disable IGMP-Snooping protocol on the EX switch use following command:
juniper at ex# set protocol igmp-snooping vlan <name of the vlan> disable
juniper at ex# commit
Now, I have version 12.3R8.7 on my EX4200 and the default command
set protocol igmp-snooping vlan all
and yet EIGRP traffic is flowing and with that, even data traffic. Therefore applying the filter was a costly mistake. I may even lose my job because of that: now, who´s to blame?
Thanks
Regards
Lucio
-----Messaggio originale-----
Da: Niall Donaghy [mailto:niall.donaghy at geant.org]
Inviato: venerdì 9 settembre 2016 22:45
A: Valentini, Lucio <Lucio.Valentini at siag.it>; juniper-nsp at puck.nether.net
Oggetto: RE: Etherchannel Cisco - Juniper and firewall filter
Hi Lucio,
A few thoughts that occur to me:
- Your configuration looks 100% correct; I am equally surprised it dropped traffic.
- Is the Junos code in production and in lab the same?
- Perhaps try the same filter in production but without the discard action. Check if the counter is working as expected.
- You could try filtering out destination-address 224.0.0.10/32.
- But ... why not just set EIGRP to passive on that interface, eg:
C3750(config)#router eigrp <asn>
C3750(config-router)#passive-interface <int>
Kind regards,
Niall
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Valentini, Lucio
> Sent: 09 September 2016 15:37
> To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> Subject: [j-nsp] Etherchannel Cisco - Juniper and firewall filter
>
> Hi there,
>
> I have a Juniper EX4200 connected through an etherchannel with a Cisco C3750; I noticed (with the "monitor traffic interface ae1"
> command)
> the interface on the Juniper was receiving EIGRP Hello packets, I applied this filter on the input in order to stop/drop these
packets,
> because as far as I know there is no EIGRP-speaking router on the other side of the Juniper switch.
>
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp from destination-mac-address 01:00:5e:00:00:0a/48
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then discard
> set firewall family ethernet-switching filter block-Eigrp term block-Eigrp then count eigrp-count
> set firewall family ethernet-switching filter block-Eigrp term traffic-allow then accept
>
> information was taken from: https://kb.juniper.net/InfoCenter/index?page=content&id=KB14893&actp=search
>
> where they say that the mac-address 01:00:5e:00:00:0a/48 is used by EIGRP.
>
> But instead of dropping only the EIGRP packets, the filter dropped traffic as well and the result was really bad.
>
> Strangely enough, I tried to replicate the problem in the lab: I connected a Cisco router´s EIGRP Hello-generating interface to an
EX4200,
> configured the IP addresses and the ping worked fine both ways.
>
> Any ideas about how to drop only Hello packets without causing disruption ?
> Thanks
>
> Cheers
>
> Lucio
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list