Thanks for all the help everyone. I didn't know firewall filters could
apply to layer 2.
It actually doesn't matter if it ends up in the bridge table, as long as
it doesn't go out the other side. There is only one MAC address we want
to pass. The topology is MX5 -> Procera -> Exchange fabric.
We would put an EX between the Procera and the Exchange and only allow
the MAC from the MX5 to pass.
I have an EX2200 that I may be able to test this on before we try it on
the production network.
-Tim
On 2015-12-09 05:20 PM, Eduardo Schoedler wrote:
If you do "show arp no-resolve", does it shows the mac-address?
--
Eduardo
2015-12-09 18:03 GMT-02:00 Aaron <aar...@gvtc.com>:
I’m not sure what you mean Eduardo.
I just typed that mac address into the firewall filter as a test. I did not
test this to see if it would really stop traffic.
Aaron
From: Eduardo Schoedler [mailto:lis...@esds.com.br]
Sent: Wednesday, December 09, 2015 1:47 PM
To: Aaron
Cc: Juniper List
Subject: Re: [j-nsp] MAC filter on EX switches
Aaron,
in this example, can you confirm if the mac-address is not learned by the
switch?
Thanks.
Em quarta-feira, 9 de dezembro de 2015, Aaron <aar...@gvtc.com> escreveu:
I was unable to find an example in that web page and others I just tried to
look for online ... an example that would deny only one mac and allow all
others... which I believe is what Tim was looking to accomplish. I just dug
into my notes and tried this... seems to make sense to me, BUT USE WITH
CAUTION please Tim, et al, as I haven't tested it and don't know the full
effects of it yet... plus I'm fairly new to the Junos world...so...
someone more experienced than me please let us know if there is a better way
to accomplish such a scenario.
Set mode...
set firewall family ethernet-switching filter deny-a-mac term term1 from
source-mac-address aa:bb:cc:dd:ee:ff/48
set firewall family ethernet-switching filter deny-a-mac term term1 then
discard
set firewall family ethernet-switching filter deny-a-mac term term2 then
accept
set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input
deny-a-mac
----------------------------------------------------------------------------
-----------------
Stanza mode, or whatever it's called...
gvtc@eng-lab-ex4550-1# show | compare
[edit interfaces]
+ ge-0/0/11 {
+ unit 0 {
+ family ethernet-switching {
+ filter {
+ input deny-a-mac;
+ }
+ }
+ }
+ }
[edit]
+ firewall {
+ family ethernet-switching {
+ filter deny-a-mac {
+ term term1 {
+ from {
+ source-mac-address {
+ aa:bb:cc:dd:ee:ff/48;
+ }
+ }
+ then discard;
+ }
+ term term2 {
+ then accept;
+ }
+ }
+ }
+ }
{master:0}[edit]
gvtc@eng-lab-ex4550-1# commit
configuration check succeeds
commit complete
{master:0}[edit]
Aaron
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
Muhammad Atif Jauhar
Sent: Wednesday, December 09, 2015 9:55 AM
To: Tim St. Pierre
Cc: Juniper List
Subject: Re: [j-nsp] MAC filter on EX switches
Hi Tim,
Check bellow link may it help you.
https://www.juniper.net/techpubs/en_US/junos12.3/topics/example/port-securit
y-protect-from-snooping-database-attack.html#/
Regards,
Atif.
On Dec 9, 2015 6:43 PM, "Tim St. Pierre" <t...@communicatefreely.net> wrote:
Hello list,
Does anyone know if it's possible to configure an EX switch, such as
an EX
2200 to filter ingress based on MAC address?
It's important that the switch just drop disallowed MAC addresses, but
not shut down the port. We have a network device that is sporadically
using the wrong mac address as the source, and when it goes into a
Cisco switch at a peering exchange, they shutdown our port for half an
hour because of the cisco MAC security.
We would like to put an EX in there to filter it while we figure out
what's causing it.
Thanks!
--
Tim St. Pierre
System Operator
Communicate Freely
www.communicatefreely.net
289-225-1220 x5101
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Eduardo Schoedler
--
Tim St. Pierre
System Operator
Communicate Freely
www.communicatefreely.net
289-225-1220 x5101
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
