SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
syednasirraza
Contributor
syednasirraza
Posts: 95
Registered: ‎02-27-2012
0
Accepted Solution

MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎03-14-2012 01:51 AM

hi all

Although on EX switches, i can do mac biding by applying filter as under:-

#set firewall family ethernet-swtiching filter abc term abc from source-mac-address  xxxxxxxxxx

However when i try to do same on SRX firewall, it does not show option ethernet-switching in family:

set firewall family ? (it shows options of inet and other but not ethernet swiching)...and if i select family inet, then in match condition from ? (does not give source-mac-address) i.e gives options related to ip addresses only...i need to put in some mac addresses under match condition

whats the solution??how to filter some specific source mac addreses on SRX firewall????

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Message 1 of 9 (1,039 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎03-14-2012 02:18 AM

Hi there,

 

This is available in Junos 11.4.  See below:

 

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/firewall-filter-stateless-match-condi...

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 2 of 9 (1,038 Views)
 
Reply
Juniper Employee
Juniper Employee
tonyzhou
Posts: 91
Registered: ‎11-11-2010
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎03-16-2012 02:23 AM

You can try following command.

 set firewall family bridge filter g term 1 from source-mac-address 00:00:00:00:00:01/48

Message 3 of 9 (1,007 Views)
 
Reply
syednasirraza
Contributor
syednasirraza
Posts: 95
Registered: ‎02-27-2012
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎03-19-2012 10:57 PM

hi..thanx alot for refrering to 11.4,

, probably it will solve issue, however still im unable to download package 11.4 to use it... and even on 11.4 package, I have found either i will be required to do it in Web Managment or if in command line, then i will have to use family vpls...what is differnt in family vpls from family ethernet-switching.. i mean what else will it affect for me??/will i have to cater for something else aswell or just select family vpls and keep on doing what i could do with family ehternet-switching???

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Message 4 of 9 (992 Views)
 
Reply
syednasirraza
Contributor
syednasirraza
Posts: 95
Registered: ‎02-27-2012
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎03-19-2012 11:02 PM

hi tonyzhou.

.thnx for replying...

but i tried to find firewall family bridge but i did not find this option,, there were only ccc,inet, mpls,vpls... i was using SR 240 with version Junos 10.0R3.1...where will this bridge option be avaible ?? in some other upgraded version????

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Message 5 of 9 (991 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎04-25-2012 06:46 PM

Hi,
 
Please implement mac binding on SRX using "ethernet-switching-options", e.g.
 
set ethernet-switching-options secure-access-port interface interface-trust allowed-mac 00:05:85:3A:82:80
set ethernet-switching-options secure-access-port interface interface-trust mac-limit 1 action drop
set ethernet-switching-options secure-access-port port-error-disable disable-timeout 60
. . . . . .
set vlan vlan-trust vlan-id 100
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member ge-0/0/2
. . . . . . . . . . .
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
 
regards

 

 

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 6 of 9 (918 Views)
 
Reply
wangyu@fly-idea.com
Visitor
wangyu@fly-idea.com
Posts: 3
Registered: ‎07-13-2011
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎04-26-2012 01:26 AM

This is only Interface binding, not IP-MAC binding:smileyindifferent:

Message 7 of 9 (912 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎04-26-2012 03:16 AM

hi fly-idea,

see first post, he is looking for MAC filtering using "set firewall filter", not dhcp-ip-mac binding ...

however, you were right in the sense that we chose the wrong terminology ... :smileyhappy:

regards

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 8 of 9 (907 Views)
 
Reply
syednasirraza
Contributor
syednasirraza
Posts: 95
Registered: ‎02-27-2012
0

Re: MAC Binding on Firewall (SRX) - applying filter family ethernet-switching on firewall

Options

‎05-14-2012 02:13 AM

hi dear rasmus....

its done...thnx alot...

can u tell me reason,,,, i had earlier tried to adopt this aproach on srx 240, but i was unable to do it earlier....the ethernet-switching-option secure-access-port was aval on switch to bind mac,,but not on srx 240...wt was the reason???

plz guide

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Message 9 of 9 (875 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.