If you do "show arp no-resolve", does it shows the mac-address? -- Eduardo
2015-12-09 18:03 GMT-02:00 Aaron <aar...@gvtc.com>: > I’m not sure what you mean Eduardo. > > > > I just typed that mac address into the firewall filter as a test. I did not > test this to see if it would really stop traffic. > > > > Aaron > > > > From: Eduardo Schoedler [mailto:lis...@esds.com.br] > Sent: Wednesday, December 09, 2015 1:47 PM > To: Aaron > > > Cc: Juniper List > Subject: Re: [j-nsp] MAC filter on EX switches > > > > Aaron, > > > > in this example, can you confirm if the mac-address is not learned by the > switch? > > > > Thanks. > > > Em quarta-feira, 9 de dezembro de 2015, Aaron <aar...@gvtc.com> escreveu: > > > I was unable to find an example in that web page and others I just tried to > look for online ... an example that would deny only one mac and allow all > others... which I believe is what Tim was looking to accomplish. I just dug > into my notes and tried this... seems to make sense to me, BUT USE WITH > CAUTION please Tim, et al, as I haven't tested it and don't know the full > effects of it yet... plus I'm fairly new to the Junos world...so... > > someone more experienced than me please let us know if there is a better way > to accomplish such a scenario. > > > Set mode... > > set firewall family ethernet-switching filter deny-a-mac term term1 from > source-mac-address aa:bb:cc:dd:ee:ff/48 > set firewall family ethernet-switching filter deny-a-mac term term1 then > discard > set firewall family ethernet-switching filter deny-a-mac term term2 then > accept > > set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input > deny-a-mac > ---------------------------------------------------------------------------- > ----------------- > Stanza mode, or whatever it's called... > > gvtc@eng-lab-ex4550-1# show | compare > [edit interfaces] > + ge-0/0/11 { > + unit 0 { > + family ethernet-switching { > + filter { > + input deny-a-mac; > + } > + } > + } > + } > [edit] > + firewall { > + family ethernet-switching { > + filter deny-a-mac { > + term term1 { > + from { > + source-mac-address { > + aa:bb:cc:dd:ee:ff/48; > + } > + } > + then discard; > + } > + term term2 { > + then accept; > + } > + } > + } > + } > > {master:0}[edit] > gvtc@eng-lab-ex4550-1# commit > configuration check succeeds > commit complete > > {master:0}[edit] > > > > Aaron > > > -----Original Message----- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of > Muhammad Atif Jauhar > Sent: Wednesday, December 09, 2015 9:55 AM > To: Tim St. Pierre > Cc: Juniper List > Subject: Re: [j-nsp] MAC filter on EX switches > > Hi Tim, > Check bellow link may it help you. > > https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit > y-protect-from-snooping-database-attack.html#/ > > Regards, > Atif. > On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <t...@communicatefreely.net> wrote: > >> Hello list, >> >> Does anyone know if it's possible to configure an EX switch, such as >> an EX >> 2200 to filter ingress based on MAC address? >> >> It's important that the switch just drop disallowed MAC addresses, but >> not shut down the port. We have a network device that is sporadically >> using the wrong mac address as the source, and when it goes into a >> Cisco switch at a peering exchange, they shutdown our port for half an >> hour because of the cisco MAC security. >> >> We would like to put an EX in there to filter it while we figure out >> what's causing it. >> >> Thanks! >> >> >> -- >> Tim St. Pierre >> System Operator >> Communicate Freely >> www.communicatefreely.net >> 289-225-1220 x5101 >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > > Eduardo Schoedler > > -- Eduardo Schoedler _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp