Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

Hi lyndidon,
Thanks for proving I'm not going mad and for putting in that 4 hrs of effort trying to find these commands which is above and beyond what I expected.

So I managed to obtain a spare ex4300 with no config and enabled j-web as suggested, added in some allowed mac addresses and then dumped the config via the cli. So the main entries as far as I can see are as follows;

interfaces {
ge-0/0/1 {
apply-macro juniper-port-profile {
Desktop;
}
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
}
}
}
}

..............

switch-options {
interface ge-0/0/1.0 {
interface-mac-limit {
2;
packet-action drop;
}
}
}

I already had enties in the switch-options for interface-mac-limit but the ether-options / source-address-filter was new to me and to be honest I haven't had time to properly research them yet. As I'm trying to use groups to

groups {
banana-user-access {
interfaces {
<ge-0/0/*> {
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
etc .....

-------

interfaces {
interface-range access_ports {
member-range ge-0/0/0 to ge-0/0/48;
}
ge-0/0/0 {
apply-groups banana-user-access;
}
ge-0/0/1 {
apply-groups banana-user-access;
}
etc .....

-------

switch-options {
interface ge-0/0/0.0 {
interface-mac-limit {
55;
}
}
interface ge-0/0/1.0 {
interface-mac-limit {
55;
}
}
etc .....

-------

I commited the above config and it was successfully loaded. However upon testing the MAC I didn't configure was still allowed to access the network.

I'm therefore not sure if;

1. It can be configured and applied in a group statement.
2. I have missed some other configuration that is needed.
3. I didn't drop any caches before the commit/testing so there is a chance the mac might still be cached?
4. Is <ge-0/0/*> a valid way to wildcard a range of interfaces (this is an inherited config) as I have used wildcard range to successfully set the switch-options but not with an * within the interface settings using the set command. I assume it must be valid or it wouldn't have committed?

For your awareness I've inherited this config and therefore I'm slightly hesitant to change it too much as until today I haven't had physical access to the switches, just remote and they are live providing a service to a project.

Rtllak, as these are live switches I have to perform testing OOH or I will need to use the spare ex4300 to create a test environment for this. This will probably take some time but I will try the example you gave as soon as I can.

As lyndidon has stated it would be good for Juniper to update their documentation to show how this can be done from the cli.