Ethernet Switching
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 2
Registered: ‎06-11-2017
0 Kudos

EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

I'm a new to Juniper devices and so please tell me if I'm being an idiot. I'm trying to configure an EX4300 switch with an allowed-mac list to limit what devices can connect. This appeared to be quite straightforward according to these;

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10866
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.htm...

 

However ethernet-switching-options appears to have been deprecated (?) and replaced with switch-options but there doesn't appear to be an allowed-mac equivalent.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/getting-started-els.html...

 

Having looked at this pdf;

 

http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-secu...

 

It appears that in Chapter 6 : Configuring MAC Limiting it doesn't reference configuring an allowed mac list via the CLI, only via the J-Web interface. I don't have the luxury of the latter right now and so need to do this via the CLI.
Does anybody know how to do this either via the CLI or what the exported config should look like? Of course maybe I've completely missinterpreted this so feel free to flag that as well.

 

Any help would be appreciated.

Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Hello,

 

Page 95 of the same documents shows CLI procedure for the same.

 

You can search for "Configuring MAC Limiting (CLI Procedure)".

 

Regards,

 

Rushi

Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

 
I have spent the last 4 hours searching for this configuration statement and not only am I disappointed, I am angry at having to spend so much time trying to a find a very answer to this query. Unfortunately I don't have an ELS switch at my disposal, where I could use the help to find it. Here is some information I have found, but not the configuration needed or requested.  So if you acess to a 4300, could enable this feature and paste the cli statements in your response, so others can see it? Alo Juniper needs to modify the document and add the specific cli statrement.
 
With MAC limiting, you limit the MAC addresses that can be learned on Layer 2 access interfaces by either limiting the number of MAC addresses or by specifying allowed MAC addresses.
• Specifying allowed MAC addresses—You configure the allowed MAC addresses for an interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. An allowed MAC address is bound to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
Allowed MAC List: Specifies the MAC addresses that are allowed for the interface
MAC limiting is configured on Layer 2 interfaces
To add a MAC address:
1. Click Add.
2. Enter the MAC address.
3. Click OK

Page 95
NOTE: On a QFX Series Virtual Chassis, if you include the shutdown option at the
[edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action]

hierarchy level and issue the commit operation, the system generates a commit error. The system does not
generate an error if you include the shutdown optionat the

[edit switch-options interface interface-name interface-mac-limit packet-action]

hierarchy level.

Page 96
[edit switch-options]
user@switch# set interface interface-name interface-mac-limit limit packet-action <action>
[edit vlans]
user@switch# set vlan-name switch-options mac-table-size limit packet-action <action>
drop|drop-and-log|log|none|shutdown |- recovery-timeout
page 100
[edit edit vlans vlan-name switch-options]
user@switch# set mac-move-limit limit
As an alternative to using persistent MAC learning with MAC limiting, you can statically configure each MAC address on each port or allow.
[edit switch-options]
user@switch# set interface interface-name persistent-learning
To enable MAC limiting on one or more interfaces using the J-Web interface:
1. Select Configure>Security>Port Security.
2. Select one or more interfaces from the Interface List.
3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
...
To add allowed MAC addresses:
1. Click Add.
2. Type the allowed MAC address and click OK.
Repeat this step to add more allowed MAC addresses.
6. Click OK when you have finished setting MAC limits.
7. Click OK after the configuration has been successfully delivered.
 
ALL KINDS OF CLI STATEMENTS FOUND EXCEPT "ALLOWED MAC ADDRESS" Statement!!!
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Hello All,

 

Can you try something like this?

 

set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit 2
set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit packet-action drop-and-log
set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>
set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>

 

Regards,

 

Rushi

Visitor
Posts: 2
Registered: ‎06-11-2017
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Hi lyndidon,
Thanks for proving I'm not going mad and for putting in that 4 hrs of effort trying to find these commands which is above and beyond what I expected.

So I managed to obtain a spare ex4300 with no config and enabled j-web as suggested, added in some allowed mac addresses and then dumped the config via the cli. So the main entries as far as I can see are as follows;


interfaces {
ge-0/0/1 {
apply-macro juniper-port-profile {
Desktop;
}
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
}
}
}
}

..............

switch-options {
interface ge-0/0/1.0 {
interface-mac-limit {
2;
packet-action drop;
}
}
}

I already had enties in the switch-options for interface-mac-limit but the ether-options / source-address-filter was new to me and to be honest I haven't had time to properly research them yet. As I'm trying to use groups to


groups {
banana-user-access {
interfaces {
<ge-0/0/*> {
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
etc .....

-------

interfaces {
interface-range access_ports {
member-range ge-0/0/0 to ge-0/0/48;
}
ge-0/0/0 {
apply-groups banana-user-access;
}
ge-0/0/1 {
apply-groups banana-user-access;
}
etc .....

-------

switch-options {
interface ge-0/0/0.0 {
interface-mac-limit {
55;
}
}
interface ge-0/0/1.0 {
interface-mac-limit {
55;
}
}
etc .....

-------


I commited the above config and it was successfully loaded. However upon testing the MAC I didn't configure was still allowed to access the network.

I'm therefore not sure if;

1. It can be configured and applied in a group statement.
2. I have missed some other configuration that is needed.
3. I didn't drop any caches before the commit/testing so there is a chance the mac might still be cached?
4. Is <ge-0/0/*> a valid way to wildcard a range of interfaces (this is an inherited config) as I have used wildcard range to successfully set the switch-options but not with an * within the interface settings using the set command. I assume it must be valid or it wouldn't have committed?

For your awareness I've inherited this config and therefore I'm slightly hesitant to change it too much as until today I haven't had physical access to the switches, just remote and they are live providing a service to a project.

Rtllak, as these are live switches I have to perform testing OOH or I will need to use the spare ex4300 to create a test environment for this. This will probably take some time but I will try the example you gave as soon as I can.

As lyndidon has stated it would be good for Juniper to update their documentation to show how this can be done from the cli.

Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

This is what I want to know if you did? Adding the static mac address is adding it to the ethernet switching table, but to limit mac it needs secure-access port which is not available. So when these steps are followed, I would like to what additional heirarchy is now visible.

1. Select Configure>Security>Port Security.<=======???????? Need to see what else has changed
2. Select one or more interfaces from the Interface List.
3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
...
To add allowed MAC addresses:
1. Click Add.
2. Type the allowed MAC address and click OK.
Repeat this step to add more allowed MAC addresses.
6. Click OK when you have finished setting MAC limits.
7. Click OK after the configuration has been successfully delivered

When you enable this feature, you would just need to clear the ethernet switching table of the mac addresses on the defined port. Any mac addreses learned will not be affected until they are flushed out of the ethernet switching table.

 

Also all you have to do is to change the MAC address of your test device (google itSmiley Happy) to one that is not yet learned and try connecting on the port where security has been enabled.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Trusted Contributor
Posts: 98
Registered: ‎03-10-2009
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

HI

 

There is allowed mac config in ethernet switching options is this not working ?

 

set ethernet-switching-options secure-access-port interface MACSEC allowed-mac 00:13:72:71:8a:32

 

Thanks

Partha

Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Take look at the complete discussion. The hierarchy "ethernet-switching-options secure-access-port " is not available on ELS as already observed in the discussion and the links to juniper documents.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Finally! I hope this is rthe solution!


OMG!! It took using the ELS translator to find the correct way to enable this feature
Junos
set ethernet-switching-options secure-access-port interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
ELS
set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:80

 

Use the ELS translator for the options you cannot find. Paste the Junos config and it will translate
https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Visitor
Posts: 1
Registered: ‎06-28-2011
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS


lyndidon wrote:

F
ELS
set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:80

 

Use the ELS translator for the options you cannot find. Paste the Junos config and it will translate
https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp


This works but the commands & 

set interfaces ge-0/0/0.0 unit 0 accept-source-mac mac-limit 2 action drop 

set interfaces ge-0/0/0.0 unit 0 accept-source-mac persistent-learning 

 

Are missing.  The ELS translator says they should exist.  

Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011
0 Kudos

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Different hierarchy

user@switch# set switch-options interface interface-name persistent-learning

set interface interface-name interface-mac-limit limit packet-action <action>

Better yet

Limiting the Number of MAC Addresses Learned by a VLAN

To limit the number of MAC addresses learned by a VLAN, perform both of the following steps:

  1. Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the switch takes after the specified limit is exceeded:
    [edit vlans]
    user@switch# set vlan-name switch-options mac-table-size limit packet-action action
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the switch takes after the specified limit is exceeded:
    [edit vlans]
    user@switch# set vlan-name switch-options interface interface-name interface-mac-limit limit packet-action action
    [edit vlans]
    user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action
     
    ***********************
    Be sure to mark solutions as as resolved if they resolve the issue!
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]