[j-nsp] Etherchannel Cisco - Juniper and firewall filter

Graham Brown juniper-nsp at grahambrown.info
Mon Sep 12 15:41:21 EDT 2016 

+1 for the last suggestion. Keep it simple; EIGRP not running on those
links is the answer - same for CDP, UDLD etc etc

Graham Brown
Twitter - @mountainrescuer <https://twitter.com/#!/mountainrescuer>
LinkedIn <http://www.linkedin.com/in/grahamcbrown>

On 10 September 2016 at 08:44, Niall Donaghy <niall.donaghy at geant.org>
wrote:

> Hi Lucio,
>
> A few thoughts that occur to me:
>
>         - Your configuration looks 100% correct; I am equally surprised it
> dropped traffic.
>         - Is the Junos code in production and in lab the same?
>         - Perhaps try the same filter in production but without the
> discard action. Check if the counter is working as expected.
>         - You could try filtering out destination-address 224.0.0.10/32.
>
>         - But ... why not just set EIGRP to passive on that interface, eg:
>
>                 C3750(config)#router eigrp <asn>
>                 C3750(config-router)#passive-interface <int>
>
> Kind regards,
> Niall
>
> > -----Original Message-----
> > From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On
> Behalf Of Valentini, Lucio
> > Sent: 09 September 2016 15:37
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] Etherchannel Cisco - Juniper and firewall filter
> >
> > Hi there,
> >
> > I  have a Juniper EX4200 connected through an etherchannel with a Cisco
> C3750; I noticed (with the "monitor traffic interface ae1"
> > command)
> > the interface on the Juniper was receiving EIGRP Hello packets,  I
> applied this filter on the input in order to stop/drop these
> packets,
> > because as far as I know there is no EIGRP-speaking router on the other
> side of the Juniper switch.
> >
> > set firewall family ethernet-switching filter block-Eigrp term
> block-Eigrp from destination-mac-address 01:00:5e:00:00:0a/48
> > set firewall family ethernet-switching filter block-Eigrp term
> block-Eigrp then discard
> > set firewall family ethernet-switching filter block-Eigrp term
> block-Eigrp then count eigrp-count
> > set firewall family ethernet-switching filter block-Eigrp term
> traffic-allow then accept
> >
> > information was taken from: https://kb.juniper.net/
> InfoCenter/index?page=content&id=KB14893&actp=search
> >
> > where they say that the  mac-address 01:00:5e:00:00:0a/48 is used by
> EIGRP.
> >
> > But instead of dropping only the EIGRP packets, the filter dropped
> traffic as well and the result was really bad.
> >
> > Strangely enough, I tried to replicate the problem in the lab: I
> connected a Cisco router´s EIGRP Hello-generating interface to an
> EX4200,
> > configured the IP addresses and the ping worked fine both ways.
> >
> > Any ideas about how to drop only Hello packets without causing
> disruption ?
> > Thanks
> >
> > Cheers
> >
> > Lucio
> >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list