SRX

Hi all,

 

may i know is it possible to block mac-address using zone-to-zone policy in SRX5800. If cannot use zone-to-zone then is it have other way to achived it using SRX5800 family inet.

 

Thanks and appreciate any fedback

You cannot do that on SRX running in inet mode. If it’s in Ethernet switching or bridge mode we may use L2 filters, but there as well policies cannot be used.

Hi kronicklez,

 

It is not possible to block MAC address via zone to zone policy as we use l3 addresses there.

However, you can use firewall filters to block them at interface level but with the family set as ethernet-switching and not inet;

root# show firewall family ethernet-switching
filter Test {
term 1 {
from {
source-mac-address {
00:10:00:00:00:00/16;
}
}
then discard;
}
term 2 {
then accept;
}
}

[edit]
root# show interfaces ge-0/0/2
unit 0 {
family ethernet-switching {
filter {
input Test;
}
}
}

 

 

Hi Ssn,

 

Thanks for the feedback

Hello,

In addition to what has been already said, changing MAC address is trivial on almost any modern OS:

1/ Windows and OS X https://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/

if Your NIC does not support changing MAC via Windows GUI, use one of the freely available tools 

https://ccm.net/download/download-4685-etherchange

http://www.maxi-pedia.com/download+macshift

2/ iPhone from IOS 8 onwards supports MAC randomization

https://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-address-randomization-feature-works-and-when-it-doesnt/

3/ ditto Android 

https://9to5google.com/2017/04/11/android-o-privacy-measures/

4/ Linux/UNIX

http://linuxg.net/3-ways-to-temporary-change-the-mac-address-in-linux-and-unix/

So, unless You are trying to block a MAC that belongs to a relatively dumb device like printer, I don't see how MAC blocking could be an effective security measure.

HTH

Thx

Alex