Yes it is possible. Post your filter. As the article indicates you can add hundreds of terms and filters with basically line speed performance.
your firewall should have two terms:
term 1
match from <allowed IP>
then accept
Term 2
then discard
Apply as input filter on source interface
Finally! I hope this is rthe solution!
OMG!! It took using the ELS translator to find the correct way to enable this feature
Junos
set ethernet-switching-options secure-access-port interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
ELS
set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:80
Use the ELS translator for the options you cannot find. Paste the Junos config and it will translate
https://www.juniper.net/customers/support/configtools/elstranslator/index.jsp
Hi,
I finally updated the JUNOS to the latest version and it worked fine (using your configuration)
Thank you for your help
Ezequiel
You can configure unknown-unicast-forwarding on EX4200 to get to know more information.
Thanks
Arul
Any filter I add, seems to stops packet flow for everything all together!
Maybe I need a filter to Allow All initially? Then the rest of the filters?
Here's the only filter I added testing just now:
Filter Type: Port/VLAN
Port Associations: None
VLAN Associations: Ingress (to my main VLAN)
Protocol: TCP
Source= IP 10.255.1.1 /32
Destination = Port 445
Accept
Just trying to block 445 for all layer2 traffic except from 1 IP.
It is much easier to help when you provide the configuration that you have applied. Also be very clear in explaining what you want to achieve. If using the GUI, their is an option to display the text. Please copy and pastre it in the comments.
So you want to all traffic to
allow destination port 445 for Source= IP 10.255.1.1/32
block destination port 445 for Source= IP all others
allow all other traffic for all devices
[edit firewall family ethernet-switching filter block-dest-port-445]
set term accept-IP from destination-port 445
set term accept-IP from protocol tcp
set term accept-IP from source-address 10.255.1.1/32
set term accept-IP then accept
set term block-IP from destination-port 445
set term block-IP from protocol tcp
set term block-IP from source-address 0/0
set term block-IP then discard
set term accept-all-IP then accept
top set vlans <vlan_name> filter input block-dest-port-445
Remember these are one way filters. If you want to regulate traffic in the opposite direction you need to create another using destination-address and apply it as an output filter on the said vlan(s)
Hi,
Not sure if I understand you fully - if i set a port for unknown-unicast-forwarding it will stop flooding unknown unicast to other ports - possibly braking comunication...
Regards,
Pawel
This is more like a security feature.
When you configure unknown-unicast forwarding for a VLAN and destine it to a interface, no matter what port the traffic comes in that particular VLAN with the destination MAC is not known to the switch, it will forward it to a specific port which is specified rather than flooding it.
Thanks
Arul
But how it can help me with my problem? I need to learn what level of flooding is there, and maybe find what MAC addresses are involved.
Regards,
Pawel
The show ethernet-switching table command shows that an unknown unicast packet is received on interface.
Check the link which i pasted before.
Thanks
Arul
Then as I said before - if i set a port for unknown-unicast-forwarding it will stop flooding unknown unicast to other ports - possibly braking comunication.
Regards,
Pawel
Great. I'll give this a try. Thanks
try this:
>show interfaces <name> extensive | match packets
You can specify an interface name of leave it off. This should show you multicast, unicast and broadcast
Now that will not tell you if it is excessive, since excesive would be dependent on the particular network. You would need some other network monitoring device to check traffic types over a period of time and at different time intervals to see the levels. It would also of coure depends on if the particular environment is using applications that generate these types of traffic.
Hi Chris,
Yes. There is issue in 15.1R5 Junos version for temperature failing in EX2200 device.
Please find PR details which is fixed in 15.1R6 Junos version.
PR 1255421 - Temperature sensor failing / EX2200 Version 15.1R5
however there are Memory Leak issues in 15.1R5/R6 for legacy EX devices. Hence it is better to wait for the fix.
Hi,
Have you already done the steps mentioned in the below KB article?
https://kb.juniper.net/InfoCenter/index?page=content&id=KB18951&act=login
Hi ,
Few legacy EX devices wont support egress filter which is hardware limitation.
May i know which model of juniper device you are using.
Hello,
There is software architecture change between 12.x and 15.1 Junos version.
May i know if there is any impact or issues after upgrade?
Hello,
Could you please use the below configuration and update the status?
set protocols iccp local-ip-addr 1.1.1.2
set protocols iccp peer 1.1.1.1 session-establishment-hold-time 50
set protocols iccp peer 1.1.1.1 backup-liveness-detection backup-peer-ip 30.30.30.2
set protocols iccp peer 1.1.1.1 liveness-detection minimum-interval 300
set protocols iccp peer 1.1.1.1 liveness-detection transmit-interval minimum-interval 300
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp system-id 00:00:00:00:00:01
set interfaces ae0 aggregated-ether-options lacp admin-key 1
set interfaces ae0 aggregated-ether-options mc-ae mc-ae-id 1
set interfaces ae0 aggregated-ether-options mc-ae chassis-id 1
set interfaces ae0 aggregated-ether-options mc-ae mode active-active
set interfaces ae0 aggregated-ether-options mc-ae status-control standby
set interfaces ae0 aggregated-ether-options mc-ae init-delay-time 30
set interfaces ae0 aggregated-ether-options mc-ae events iccp-peer-down
Hi,
I have 2 QFX10002 switches CORE, already with ICCP/ICL configured.
I have 2 QFX10002 switches DISTRIBUTION, already with ICCP/ICL configured.
ICCP/ICL is ok.
I wan to connect them like this schema, with "HA" features. How can I configure MCLAG to MCLAG in this case ?
I don't find any doc for this architecture in Juniper website.
Do I have to configure one ae on CORE with my four interfaces ? two ae? Witch ports in this ae ? One MCLAG id ?
Is someone has already design and configure this kind of architecture?
Thank you
