Switching

Expand all | Collapse all

EX2300 packet-action log

Jump to Best Answer
  • 1.  EX2300 packet-action log

    Posted 06-22-2020 02:37

    Hiya.

     

    I am fairly new at JunOS so grateful for any help on the below:

     

    I am attempting to configure mac security on access ports on my EX2300 (18.1R3) but I just want to trap the mac violation and not shutdown or drop the packet.

    According to the manual it is a simple case of doing the following:

     

    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action log

     

    The command takes but on a commit check I get the following:

     

    interface mac limit should be configured with drop/drop-and-log/shutdown action

     

    Does anyone know why I can't set a mac limit of 1 and just log a violation?

    Is it a limitation of the firmware?

     

    Grateful for any help

     


    #mac


  • 2.  RE: EX2300 packet-action log
    Best Answer

     
    Posted 06-22-2020 02:44

    Hello yawksheer,

     

    referencing Juniper Techpub, "log" is not supported on EX2300:

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-security-mac-move-limiting-cli-els.html

     

    You can choose to have one of the following actions performed when the MAC move limit is exceeded:

    • drop—(EX2300, EX3400 and EX4300) Drop the packet, but do not generate an alarm.

    • drop-and-log—(EX2300, EX3400 and EX4300 only) Drop the packet and generate an alarm, an SNMP trap, or system log entry.

    • log—(EX4300 and EX9200) Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

    • none—(EX4300 and EX9200) Forward packets with new source MAC addresses, and learn the new source MAC address.

     

    So it seems you have to configure "drop", "drop-and-log" or "shutdown" without "log".



  • 3.  RE: EX2300 packet-action log

    Posted 06-22-2020 02:50

    Hi yawksheer

     

    Greetings, 

     

    As per my understanding, the configuration has MAC limit to configure a limit to the number of MAC addresses that can be learned from the interface, further if it exceeds the threshold that you set, say more than 1 MAC learnt on this interface you need to specify whether to drop the packet or drop and log the occurrence or shutdown the port.

    This specification will allow the commit, else it doesn't know what to do if the threshold limit is crossed.

     

    Try using any of the below to make it work:

    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action drop-and-log
    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action drop
    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action shutdown
    

    Use the link for understanding the configuration: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/packet-action-edit-bridge-domains-edit-protocols-l2-learning-edit-switch-options.html

     

    Hope this helps. Smiley Happy

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur

     



  • 4.  RE: EX2300 packet-action log

     
    Posted 06-22-2020 03:15

    Hi yawksheer,

    As been said on the above replies this option is not available for your device model "EX2300"

     

    , however you may use the following feature instead to help you monitor mac learn / unlearn and sending SNMP trap for those events 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/mac-notification.html

     


    If this solves your problem, please mark this post as "Accepted Solution."