SRX

hi all

Although on EX switches, i can do mac biding by applying filter as under:-

#set firewall family ethernet-swtiching filter abc term abc from source-mac-address  xxxxxxxxxx

However when i try to do same on SRX firewall, it does not show option ethernet-switching in family:

set firewall family ? (it shows options of inet and other but not ethernet swiching)...and if i select family inet, then in match condition from ? (does not give source-mac-address) i.e gives options related to ip addresses only...i need to put in some mac addresses under match condition

whats the solution??how to filter some specific source mac addreses on SRX firewall????

Hi there,

 

This is available in Junos 11.4.  See below:

 

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html

You can try following command.

 set firewall family bridge filter g term 1 from source-mac-address 00:00:00:00:00:01/48

hi tonyzhou.

.thnx for replying...

but i tried to find firewall family bridge but i did not find this option,, there were only ccc,inet, mpls,vpls... i was using SR 240 with version Junos 10.0R3.1...where will this bridge option be avaible ?? in some other upgraded version????

Hi,
 
Please implement mac binding on SRX using "ethernet-switching-options", e.g.
 
set ethernet-switching-options secure-access-port interface interface-trust allowed-mac 00:05:85:3A:82:80
set ethernet-switching-options secure-access-port interface interface-trust mac-limit 1 action drop
set ethernet-switching-options secure-access-port port-error-disable disable-timeout 60
. . . . . .
set vlan vlan-trust vlan-id 100
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member ge-0/0/2
. . . . . . . . . . .
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
 
regards

 

 

hi dear rasmus....

its done...thnx alot...

can u tell me reason,,,, i had earlier tried to adopt this aproach on srx 240, but i was unable to do it earlier....the ethernet-switching-option secure-access-port was aval on switch to bind mac,,but not on srx 240...wt was the reason???

plz guide

Hello,

 

I have MAC filtering enabled on SRX100 (set ethernet-switching-options secure-access-port interface fe-0/0/0.0 allowed-mac aa:bb:cc::dd:ee:ff)

 

If unauthorized user tries to connect a device, firewall will not allow the device. Where do I see the logs/error message about failed authentication/authorization ?

 

Thanks

Pramod

Hi,

 

Please read following KB article

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16531&actp=RSS

 

 

hi..thanx alot for refrering to 11.4,

, probably it will solve issue, however still im unable to download package 11.4 to use it... and even on 11.4 package, I have found either i will be required to do it in Web Managment or if in command line, then i will have to use family vpls...what is differnt in family vpls from family ethernet-switching.. i mean what else will it affect for me??/will i have to cater for something else aswell or just select family vpls and keep on doing what i could do with family ehternet-switching???

This is only Interface binding, not IP-MAC binding

hi fly-idea,

see first post, he is looking for MAC filtering using "set firewall filter", not dhcp-ip-mac binding ...

however, you were right in the sense that we chose the wrong terminology ... 🙂

regards