family bridge {
filter evil-mac-address {
term one {
from {
source-mac-address 88:05:00:29:3c:de/48;
}
then {
count evil-mac-address; # Counts frame with the bad source MAC address
discard;
}
term two {
then accept; # Make sure to accept other traffic
}
}
}
}
2.
Apply evil-mac-address as an input filter to vlan100200 on Router 1:
[edit routing-instances]
virtual-switch-R1-1 {
bridge-domains {
vlan100200 {
domain-type bridge;
forwarding-options {
filter {
input evil-mac-address;
}
}
}
}
}
Related
Documentation
Layer 2 Firewall Filters•
• Firewall Filters for Bridge Domains and VPLS Instances on page 95
• Example: Configuring Policing and Marking of Traffic Entering a VPLS Core on page 96
• Example: Configuring Filtering of Frames by IEEE 802.1p Bits on page 99
• Example: Configuring Filtering of Frames by Packet Loss Priority on page 101
Example: Configuring Filtering of Frames by IEEE 802.1p Bits
For the bridge and vpls protocol families only, MX Series router firewall filters can be
configured to provide matching on IEEE 802.1p priority bits in packets with VLAN tagging:
•
To configure a firewall filter term that includes matching on IEEE 802.1p learned VLAN
priority (in the outer VLAN tag), use the learn-vlan-1p-priority or
learn-vlan-1p-priority-except match condition.
•
To configure a firewall filter term that includes matching on IEEE 802.1p user priority
(in the inner VLAN tag), use the user-vlan-1p-priority or user-vlan-1p-priority-except
match condition.
99Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Layer 2 Firewall Filters
To Next Page
Loading...
Need help?
General
