Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  EX2200 - Block a MAC address?

    Posted 01-08-2016 11:27

    Is there a way to block a specific MAC address on an EX2200 switch? I ask because we've recently detected an IP conflict on our network, and I traced the rogue device's MAC address down to the exact switch port, but we're unsure what is plugged into the port. We're suspecting it may be a a wireless access point, and if so, we don't want to just shut the port or unplug it. We also don't want to enable MAC limiting because I believe that works by explicitely -allowing- MAC addresses through port security, not allowing -all- and explicitely denying -one-. 

    Thanks for the assistance!



  • 2.  RE: EX2200 - Block a MAC address?
    Best Answer

    Posted 01-08-2016 11:49

    HI matt_c,

     

    Yes, you can use a firewall filter on the ex series of switches to block/permit specific MAC addresses. This is an example for something similar to what you want; but on an MX router. The syntax should be the same for the commands ( depending on your JunOS version ) :

     

    http://www.juniper.net/documentation/en_US/junos13.2/topics/example/layer-2-vlans-firewall-filters-filtering-frames-by-mac-address-mx-solutions.html

     

     

    [edit firewall]
family bridge {
filter evil-mac-address {
term one {
from {
source-mac-address 88:05:00:29:3c:de/48;
}
then {
count evil-mac-address; # Counts frame with the bad source MAC address
discard;
}
term two {
then accept; # Make sure to accept other traffic
}
}
}
}

     

    Then apply the filter to the interface in question.



  • 3.  RE: EX2200 - Block a MAC address?

     
    Posted 01-08-2016 12:13

    Just FYI, it will not be family "bridge" on EX, but instead family "ethernet-switching".  MX - EX are not the same from L2 persepctive, until you get to newer EX products and even then some minor differences.



  • 4.  RE: EX2200 - Block a MAC address?

    Posted 01-08-2016 12:26

    This is exactly what I needed, thanks!



  • 5.  RE: EX2200 - Block a MAC address?

    Posted 01-08-2016 12:31

    Could you help with the actual commands?

    I've started with the following:

    root@SW1# edit firewall family ethernet-switching

    root@SW1# set filter evil-mac-address ?

     

    A bit lost at this point. 



  • 6.  RE: EX2200 - Block a MAC address?

     
    Posted 01-08-2016 13:10

    You'll need something like this under filter evil-mac-address:

     

    term macdrop {

        from {

            source-mac-address {

                00:00:00:00:00:01/48;

            }

        }

        then discard;

    }



  • 7.  RE: EX2200 - Block a MAC address?

     
    Posted 01-08-2016 13:12

    Some info can be found here:

     

    http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html

     

    Remember google is your best friend when it comes to Junos!!