Ok, my use case is basically.
I have 20 servers, 10 are my own and 10 are of my client.
10 of my own, i do not want any restrictions.
10 of my client, i want to lock 1 single ip to it. However at times when they do demand more ips, i should be able to give it to them. And locking n number of ips to their port.
My current solution isnt the most elegant one, but works somewhat.
set ethernet-switching-options secure-access-port interface ge-0/0/22 static-ip IPADDRESS mac MA:CA:AD:DD:RE:SS vlan default
set ethernet-switching-options secure-access-port interface ge-0/0/22 static-ip IPADDRESS mac MA:CA:AD:DD:RE:SS vlan default
This is for port 22, rest of the ports which are of my server, i have put in dhcp-trusted and enabled ip source guard, arp & snooping table. That way dhcp-trusted ports work without restriciton, and only specificed ips and mac work on the locked one.
BUT in this solution the problem is i can only apply 1 ip per mac, not more than that. which is kind of a problem when client will request for more ips.
------------------------------
HARSH JAIN
------------------------------
Original Message:
Sent: 07-28-2021 14:03
From: Unknown User
Subject: How to prevent users from changing the IP of the server connected to EX4200?
Hi, can you maybe share your use case in more detail on exactly what is is you need to achieve and what you are trying to do is even scale able or feasible?
Original Message:
Sent: 07-28-2021 12:41
From: Unknown User
Subject: How to prevent users from changing the IP of the server connected to EX4200?
Yes you can, you just create another term with the same MAC and new IP. The larger picture however is that switch ACL's aren't the best way to enforce server-side policies--you have to account for every traffic exception to your rule -- including DHCP, Multicast, and as you discovered, traffic will stop working after five minutes unless you allow ether-type arp in your filter.
Original Message:
Sent: 07-28-2021 11:52
From: HARSH JAIN
Subject: How to prevent users from changing the IP of the server connected to EX4200?
I had to go down this route again. It works great but the only issue is that it's 1 ip per Mac. You cannot add more than 1 IP per Mac. Which is kinda ridiculous.
It essentially means you cannot access server with more than 1 IP.
------------------------------
HARSH JAIN
Original Message:
Sent: 07-27-2021 12:34
From: Stuart
Subject: How to prevent users from changing the IP of the server connected to EX4200?
Have you considered using secure-access-port under the ethernet-switching-options stanza. This is for non ELS switching. I'm not certain where that is configured for ELS switches. With secure-access-port one can define the IP address and MAC address that belongs on a specific port. It may not achieve what you want, but may be worth a look.
------------------------------
Stuart
Original Message:
Sent: 07-27-2021 07:52
From: HARSH JAIN
Subject: How to prevent users from changing the IP of the server connected to EX4200?
Sorry, but this does not work.
set firewall family ethernet-switching filter usa10 term allow from source-mac-address MY:MA:AC:AD:DR:ES/48
set firewall family ethernet-switching filter usa10 term allow from source-address xxx.xxx.xxx.xxx/32
set firewall family ethernet-switching filter usa10 term allow then accept
set firewall family ethernet-switching filter usa10 term block then discard
I ran it, but i can still set any other ip in the range and it would work.
------------------------------
HARSH JAIN
Original Message:
Sent: 07-24-2021 11:51
From: STEVE PULUKA
Subject: How to prevent users from changing the IP of the server connected to EX4200?
On the ethernet port facing the device you could apply this filter to the interface input.firewall {
family ethernet-switching {
filter name {
term allow {
from {
source-mac-address {
88:05:00:29:3c:de/48;
}
source-address {
1.1.1.1/32;
}
}
then accept;
}
term block {
then discard;
}
}
}
}
What I'm not sure about is that the term will evaluate as an AND condition or if it will be an OR condition letting all the mac address associations through.
But in your case maybe the ip address alone will accomplish what you want.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 07-21-2021 14:39
From: HARSH JAIN
Subject: How to prevent users from changing the IP of the server connected to EX4200?
I want to know how i can assign 1 ip (or multiple ip) to a specific mac address on my juniper switch.
So that if user changes the IP from within the range, then the switch would refuse it.
Example 1.1.1.1 is the alloted ip, currently if the client change it to 1.1.1.2, then it would accept and work, i do not want to allow it, any idea how to?
I tried IP source guard, but whenever i activate that my whole switch goes down. I do not want to create subnets, i want to give 1 ip to 1 dedicated server while using 1 single gateway.
Any help would be appreciated, thank you.
Reply
Quote
PS: My network (internet wire) is connected to port 47 which is within my vlan.
------------------------------
HARSH JAIN
------------------------------