Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Expand all | Collapse all

EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

  • 1.  EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-11-2017 03:25

    I'm a new to Juniper devices and so please tell me if I'm being an idiot. I'm trying to configure an EX4300 switch with an allowed-mac list to limit what devices can connect. This appeared to be quite straightforward according to these;

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10866
    http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html

     

    However ethernet-switching-options appears to have been deprecated (?) and replaced with switch-options but there doesn't appear to be an allowed-mac equivalent.

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/getting-started-els.html#jd0e499

     

    Having looked at this pdf;

     

    http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf

     

    It appears that in Chapter 6 : Configuring MAC Limiting it doesn't reference configuring an allowed mac list via the CLI, only via the J-Web interface. I don't have the luxury of the latter right now and so need to do this via the CLI.
    Does anybody know how to do this either via the CLI or what the exported config should look like? Of course maybe I've completely missinterpreted this so feel free to flag that as well.

     

    Any help would be appreciated.



  • 2.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

     
    Posted 06-11-2017 09:41

    Hello,

     

    Page 95 of the same documents shows CLI procedure for the same.

     

    You can search for "Configuring MAC Limiting (CLI Procedure)".

     

    Regards,

     

    Rushi



  • 3.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-11-2017 13:52
     
    I have spent the last 4 hours searching for this configuration statement and not only am I disappointed, I am angry at having to spend so much time trying to a find a very answer to this query. Unfortunately I don't have an ELS switch at my disposal, where I could use the help to find it. Here is some information I have found, but not the configuration needed or requested.  So if you acess to a 4300, could enable this feature and paste the cli statements in your response, so others can see it? Alo Juniper needs to modify the document and add the specific cli statrement.
     
    With MAC limiting, you limit the MAC addresses that can be learned on Layer 2 access interfaces by either limiting the number of MAC addresses or by specifying allowed MAC addresses.
    • Specifying allowed MAC addresses—You configure the allowed MAC addresses for an interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. An allowed MAC address is bound to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
    Allowed MAC List: Specifies the MAC addresses that are allowed for the interface
    MAC limiting is configured on Layer 2 interfaces
    To add a MAC address:
    1. Click Add.
    2. Enter the MAC address.
    3. Click OK

    Page 95
    NOTE: On a QFX Series Virtual Chassis, if you include the shutdown option at the
    [edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action]

    hierarchy level and issue the commit operation, the system generates a commit error. The system does not
    generate an error if you include the shutdown optionat the

    [edit switch-options interface interface-name interface-mac-limit packet-action]

    hierarchy level.

    Page 96
    [edit switch-options]
    user@switch# set interface interface-name interface-mac-limit limit packet-action <action>
    [edit vlans]
    user@switch# set vlan-name switch-options mac-table-size limit packet-action <action>
    drop|drop-and-log|log|none|shutdown |- recovery-timeout
    page 100
    [edit edit vlans vlan-name switch-options]
    user@switch# set mac-move-limit limit
    As an alternative to using persistent MAC learning with MAC limiting, you can statically configure each MAC address on each port or allow.
    [edit switch-options]
    user@switch# set interface interface-name persistent-learning
    To enable MAC limiting on one or more interfaces using the J-Web interface:
    1. Select Configure>Security>Port Security.
    2. Select one or more interfaces from the Interface List.
    3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
    ...
    To add allowed MAC addresses:
    1. Click Add.
    2. Type the allowed MAC address and click OK.
    Repeat this step to add more allowed MAC addresses.
    6. Click OK when you have finished setting MAC limits.
    7. Click OK after the configuration has been successfully delivered.
     
    ALL KINDS OF CLI STATEMENTS FOUND EXCEPT "ALLOWED MAC ADDRESS" Statement!!!


  • 4.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

     
    Posted 06-12-2017 00:35

    Hello All,

     

    Can you try something like this?

     

    set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit 2
    set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit packet-action drop-and-log
    set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>
    set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>

     

    Regards,

     

    Rushi



  • 5.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-17-2017 19:43

    HI

     

    There is allowed mac config in ethernet switching options is this not working ?

     

    set ethernet-switching-options secure-access-port interface MACSEC allowed-mac 00:13:72:71:8a:32

     

    Thanks

    Partha



  • 6.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-20-2017 13:33
    Take look at the complete discussion. The hierarchy "ethernet-switching-options secure-access-port " is not available on ELS as already observed in the discussion and the links to juniper documents.


  • 7.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-12-2017 03:26

    Hi lyndidon,
    Thanks for proving I'm not going mad and for putting in that 4 hrs of effort trying to find these commands which is above and beyond what I expected.

    So I managed to obtain a spare ex4300 with no config and enabled j-web as suggested, added in some allowed mac addresses and then dumped the config via the cli. So the main entries as far as I can see are as follows;


    interfaces {
    ge-0/0/1 {
    apply-macro juniper-port-profile {
    Desktop;
    }
    ether-options {
    source-address-filter {
    <mac address1>;
    <mac address2>;
    }
    }
    }
    }

    ..............

    switch-options {
    interface ge-0/0/1.0 {
    interface-mac-limit {
    2;
    packet-action drop;
    }
    }
    }

    I already had enties in the switch-options for interface-mac-limit but the ether-options / source-address-filter was new to me and to be honest I haven't had time to properly research them yet. As I'm trying to use groups to


    groups {
    banana-user-access {
    interfaces {
    <ge-0/0/*> {
    ether-options {
    source-address-filter {
    <mac address1>;
    <mac address2>;
    etc .....

    -------

    interfaces {
    interface-range access_ports {
    member-range ge-0/0/0 to ge-0/0/48;
    }
    ge-0/0/0 {
    apply-groups banana-user-access;
    }
    ge-0/0/1 {
    apply-groups banana-user-access;
    }
    etc .....

    -------

    switch-options {
    interface ge-0/0/0.0 {
    interface-mac-limit {
    55;
    }
    }
    interface ge-0/0/1.0 {
    interface-mac-limit {
    55;
    }
    }
    etc .....

    -------


    I commited the above config and it was successfully loaded. However upon testing the MAC I didn't configure was still allowed to access the network.

    I'm therefore not sure if;

    1. It can be configured and applied in a group statement.
    2. I have missed some other configuration that is needed.
    3. I didn't drop any caches before the commit/testing so there is a chance the mac might still be cached?
    4. Is <ge-0/0/*> a valid way to wildcard a range of interfaces (this is an inherited config) as I have used wildcard range to successfully set the switch-options but not with an * within the interface settings using the set command. I assume it must be valid or it wouldn't have committed?

    For your awareness I've inherited this config and therefore I'm slightly hesitant to change it too much as until today I haven't had physical access to the switches, just remote and they are live providing a service to a project.

    Rtllak, as these are live switches I have to perform testing OOH or I will need to use the spare ex4300 to create a test environment for this. This will probably take some time but I will try the example you gave as soon as I can.

    As lyndidon has stated it would be good for Juniper to update their documentation to show how this can be done from the cli.



  • 8.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-14-2017 11:56

    This is what I want to know if you did? Adding the static mac address is adding it to the ethernet switching table, but to limit mac it needs secure-access port which is not available. So when these steps are followed, I would like to what additional heirarchy is now visible.

    1. Select Configure>Security>Port Security.<=======???????? Need to see what else has changed
    2. Select one or more interfaces from the Interface List.
    3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
    ...
    To add allowed MAC addresses:
    1. Click Add.
    2. Type the allowed MAC address and click OK.
    Repeat this step to add more allowed MAC addresses.
    6. Click OK when you have finished setting MAC limits.
    7. Click OK after the configuration has been successfully delivered

    When you enable this feature, you would just need to clear the ethernet switching table of the mac addresses on the defined port. Any mac addreses learned will not be affected until they are flushed out of the ethernet switching table.

     

    Also all you have to do is to change the MAC address of your test device (google it:)) to one that is not yet learned and try connecting on the port where security has been enabled.



  • 9.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-20-2017 13:53

    Finally! I hope this is rthe solution!


    OMG!! It took using the ELS translator to find the correct way to enable this feature
    Junos
    set ethernet-switching-options secure-access-port interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
    ELS
    set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:80

     

    Use the ELS translator for the options you cannot find. Paste the Junos config and it will translate
    https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp



  • 10.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-27-2017 13:22

    @lyndidon wrote:

    F
    ELS
    set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:80

     

    Use the ELS translator for the options you cannot find. Paste the Junos config and it will translate
    https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp


    This works but the commands & 

    set interfaces ge-0/0/0.0 unit 0 accept-source-mac mac-limit 2 action drop 

    set interfaces ge-0/0/0.0 unit 0 accept-source-mac persistent-learning 

     

    Are missing.  The ELS translator says they should exist.  



  • 11.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 06-27-2017 13:59

    Different hierarchy

    user@switch# set switch-options interface interface-name persistent-learning

    set interface interface-name interface-mac-limit limit packet-action <action>

    Better yet

    Limiting the Number of MAC Addresses Learned by a VLAN

    To limit the number of MAC addresses learned by a VLAN, perform both of the following steps:

    1. Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the switch takes after the specified limit is exceeded:
      [edit vlans]
      user@switch# set vlan-name switch-options mac-table-size limit packet-action action
    2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the switch takes after the specified limit is exceeded:
      [edit vlans]
      user@switch# set vlan-name switch-options interface interface-name interface-mac-limit limit packet-action action
      [edit vlans]
      user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action
       
      ***********************
      Be sure to mark solutions as as resolved if they resolve the issue!


  • 12.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

     
    Posted 04-01-2019 07:06

    Hi,

     

    Try accept-source-mac knob.

     

    Sample configuration:

     

    configuration-mode#set interfaces ge-0/0/1 unit 0 accept-source-mac mac-address 00:00:00:11:11:11

     

    Please let me know if this helps!



  • 13.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 11-06-2023 16:46

    Hi,

    But if I'd wanto to set 2 allowed mac addresses to a interface? How should I do this? I know that in other vendors this is possible to configure.

    Regards,



    ------------------------------
    LUIZ HENRIQUE CUNHA
    ------------------------------



  • 14.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 11-06-2023 16:46

    Any thoughts?



    ------------------------------
    LUIZ HENRIQUE CUNHA
    ------------------------------



  • 15.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 11-06-2023 17:21

    Hi Luis, 

    If you know the MAC addresses that you want to attach to the interfaces, can you try the below commands: 

    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface <interface> allowed-mac <MAC address>
    user@switch# set interface <interface> allowed-mac <MAC address>

    If you want to just set a limit on the interface, can you use: 

    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface <interface> limit 2

    HTH,



    ------------------------------
    Ethan Jackson
    ------------------------------



  • 16.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 11-07-2023 09:18

    Hi Ethan. Thanks for the answer.

    My switch doesnt have the "ethernet-switching-options" knob. It only has "switch-options". Maybe because it is ELS?

    Any considerations?

    Regards,



    ------------------------------
    LUIZ HENRIQUE CUNHA
    ------------------------------



  • 17.  RE: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

    Posted 11-11-2023 05:12

    Hi Luis, 

    I have just come across this documentation from Junos, it might be worth reading through this (If not done already, and seeing if this provides you with what you need:

    https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/configuring-mac-limiting.html

    HTH,



    ------------------------------
    Ethan Jackson
    ------------------------------