Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to allow particular MAC address and block all other MAC addresses on SRX ethernet-switching interface

0

0

Article ID: KB27727 KB Last Updated: 08 Oct 2013Version: 1.0
Summary:

This article describes how a user can limit access from a specific device using the MAC-address on an Ethernet-switching interface of the SRX Series Services Gateways.

Symptoms:

This article describes how user can limit the access from a specific device MAC-address on an Ethernet-switching interface of the SRX Series Services Gateways.

Cause:

Solution:
The Media Access Control (MAC) limiting feature protects against flooding of the Ethernet switching table on the SRX Series Services Gateways. The MAC limiting feature sets a limit for access from particular MAC addresses.  Only the specified MAC addresses can be learned on a single ethernet-switching interface (port).

Sample configuration:

root@SRX-240# show interfaces 
ge-0/0/0 {
    unit 0 {
        family ethernet-switching;
    }
}

root@SRX-240# show ethernet-switching-options 
secure-access-port {
    interface ge-0/0/0.0 {
        allowed-mac 00:23:18:10:a6:8b;
    }
}

Here as shown in configuration on interface ge-0/0/0, the allowed-mac address is00:23:18:10:a6:8b. Any other device with a different MAC address would  not be allowed to communicate in the secure network through this interface.

Sample output:

* When connected device with mac-00:23:18:10:a6:8b:

root@SRX-240# run show ethernet-switching table 
Ethernet-switching table: 3 entries, 1 learned, 0 persistent entries
  VLAN              MAC address         Type         Age   Interfaces
  ndg               *                   Flood          -   All-members
  ndg               00:23:18:10:a6:8b   Learn          0   ge-0/0/0.0

When Connected Device with another mac-00:24:86:10:88:8b which was not allowed on ethernet-switching-option:

root@SRX-240# run show ethernet-switching table           
Ethernet-switching table: 2 entries, 0 learned, 0 persistent entries
  VLAN              MAC address         Type         Age   Interfaces
  ndg               *                   Flood          -   All-members

The SRX did not learn that device's MAC address in MAC table.

One can check syslog message for "invalid MAC" detected error on interface ge-0/0/0 

May 19 13:56:04  SRX-240 mgd[1187]: UI_CMDLINE_READ_LINE: User 'root', command 'run show log sw_log '
May 19 13:56:03  SRX-240 eswd[7763]: ESWD_INVALID_MAC_ADDRESS: Invalid MAC address 00:24:86:10:88:8b received on ge-0/0/0.0
May 19 13:56:04  SRX-240 eswd[7763]: ESWD_INVALID_MAC_ADDRESS: Invalid MAC address 00:24:86:10:88:8b received on ge-0/0/0.0

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search