Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Port Security - Limit Interfaces to specific MAC addresses

    Posted 08-17-2021 19:14
    Hi,

    I have an EX2300 switch with a few connected PCs. The PCs are in a public area, and are sometimes left unattended.
    I would like to prevent someone from disconnecting a PC from the network, and attaching their own device.

    I realize that 802.1x is the ultimate solution here, but we're not quite ready to deploy that yet.
    For now, I'd just like to limit the interface to specific MAC addresses.

    So far, I can't find out how that's done.

    I found this article, but it seems limited to the MAC count in ELS. Specifying which MACs are allowed only has config for non-ELS.
    Any ideas on how I can do this?

    Configuring MAC Limiting


    Thanks


  • 2.  RE: Port Security - Limit Interfaces to specific MAC addresses

     
    Posted 08-18-2021 05:17
    Hi,

    To allow the interface to receive packets from specific MAC addresses, include the accept-source-mac statement., which is valid for aggregated Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces only. 

    [edit interfaces interface-name unit logical-unit-number]
    accept-source-mac {
    mac-address mac-address

    Please find the reference link : https://www.juniper.net/documentation/us/en/software/junos/interfaces-ethernet/topics/ref/statement/accept-source-mac-edit-interfaces.html

    Hope this helps

    -Ajo Thomas


  • 3.  RE: Port Security - Limit Interfaces to specific MAC addresses

    Posted 08-18-2021 19:48
    That appears to work, thanks


  • 4.  RE: Port Security - Limit Interfaces to specific MAC addresses

    Posted 08-18-2021 20:03
    That appears to work, thanks!


  • 5.  RE: Port Security - Limit Interfaces to specific MAC addresses

    Posted 08-18-2021 05:37
    Heya,

    these are the two different configurations you will need. One with ESL and one Non-ESL.

    ESL:
    # set interface ge-x/x/x unit x accept-source-mac mac-address xx:xx:xx:xx:xx:xx
    # set vlan xxx forwarding-options dhcp-security group xxxx interface ge-x/x/x unit x (You can specify your own group name here)

    Non-ESL:
    # set ethernet-switching-options secure-access-port interface ge-0/0/0 allowed-mac xx:xx:xx:xx:xx:xx

    Cheers,
    Julian


  • 6.  RE: Port Security - Limit Interfaces to specific MAC addresses

    Posted 08-18-2021 19:48
    This looks like it will work, thanks