Switching

Expand all | Collapse all

Cisco-like port security on EX

Jump to Best Answer
  • 1.  Cisco-like port security on EX

    Posted 01-29-2020 07:26

    I know this topic has been discussed a bit, but I wasn't able to find anything that addresses my particular question.

     

    I'm wondering if there is any way to set up port security that behaves like Ciscco's implemetation. On a Cisco switch, we can configure the following lines:

     

    interface g1/0/1
     switchport port-security mac-address 3456.fea4.4a2b
     switchport port-security

    Which ensure that only this MAC address can connect to the port, and the port will go err-disabled if another MAC address is detected. From what I can tell, we can do something similar on an EX:

     

    interfaces {
    ge-0/0/1 {
        description "ACCESS - ";
        unit 0 {
            accept-source-mac {
                mac-address 34:56:fe:a4:4a:2b;
            }
        }
    }
    }
    switch-options {
    interface ge-0/0/1.0 {
        interface-mac-limit {
            1;
            packet-action shutdown;
        }
        persistent-learning;
    }
    }

    The "accept-source-mac" line does a fairly good job, but I couldn't find a way for that on its own to alert on a MAC that doesn't conform, it seems to just silently drop frames from MAC addresses not in the list given. Likewise, the switch-options config will simply shut the port down if more than 1 MAC address is detected at a time. If only 1 MAC address that wasn't in the "accept-source-mac" list connected, however, it would not alert but the switch would silently discard frames from it.

     

    Is there any way to either have the port shut down and alert on the actual MAC address being different, or to query some sort of log somewhere that mentions MAC addresses that aren't in the "accept-source-mac" list that are trying to communicate?



  • 2.  RE: Cisco-like port security on EX

     
    Posted 01-29-2020 07:41
    Hi Ian,

    There's a packet action to "log" and "drop-and-log" which should help your requirement.

    root@ex4300# set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action ?
    Possible completions:
    drop Drop packets and do not learn. Default is forward
    drop-and-log Drop the packet and generate an alarm, an SNMP trap or a system log entry
    log Do not drop the packet but generate an alarm, an SNMP trap or a system log entry
    none Forward the packet
    shutdown Disable the interface and generate an alarm, an SNMP trap or a system log entry
    {master:0}[edit]

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: Cisco-like port security on EX

    Posted 01-29-2020 07:50

    Right, but that still only acts on the number of MAC addresses discovered on the interface, not the actual MAC address. So, in the case of only one MAC address connecting, but a MAC address that you don't want to be allowed to connect, it would not alert, since the number of MAC addresses detected is still only one.



  • 4.  RE: Cisco-like port security on EX

     
    Posted 01-29-2020 19:46

    Hi Ian,

     

    Could you check "show ethernet-switching mac-learning-log" and if mac-notification gives you any relevant log for the violation via SNMP?

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-ethernet-switching-mac-learning-log-bridging-ex-series.html

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/mac-notification.html

     

    I'd expect "mac-limit" and "accept-source-mac" combination to do the job with one of the above.  If it's not helping and only notifying the MAC limit and not the incorrect MAC, calls for an ER (Enhancement Request) I guess.  I'd double check this on a TAC case once and notify the SE (Sales/Systems Engineer), they can file one.

     

    Please keep us posted, if you will.

     

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

     



  • 5.  RE: Cisco-like port security on EX
    Best Answer

    Posted 02-07-2020 10:54

    I was able to find a solution for this with the following config:

     

    switch-options {
        interface ge-0/0/7.0 {
            interface-mac-limit {
                2;
                packet-action shutdown;
            }
        }
    }
    vlans {
        VLAN1 {
            vlan-id 1903;
            switch-options {
                interface ge-0/0/7.0 {
                    static-mac 00:50:b6:80:29:7d;
                    static-mac 00:50:b6:80:29:7e;
                }
            }
        }
    }

    That seems to require that the MAC be either (or both) of those listed under the VLAN stanza, and if it's not, then the port will shut down and indicate that it has hit its limit in the output of "show ethernet-switching interface ge-0/0/7".