I’m trying to figure out if there is an inherent flaw in the way JUNOS handles sticky-mac addresses across their switch-ports versus how Cisco handles them. I’ll elaborate.
Below, you can see that port Fa0/1 is configured for sticky-mac, and once a device is plugged into the port, it loads the mac address into running-configuration for that single port.
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0010.9400.0002
!
Now, let’s say an end user has the mobility of a laptop, and decides to plug the laptop in somewhere else; we’ll assume they plug into port Fa0/2 on the same switch.
Obviously, Cisco switches will throw the port into an err-disabled state since port Fa0/2 is attempting to connect with a mac-address that is already registered on the switch.
CiscoSwitch>show interface status
Port Name Status Vlan Duplex Speed Type
Fa0/1 notconnect 1 auto auto 10/100BaseTX
Fa0/2 err-disabled 1 auto auto 10/100BaseTX
Fa0/3 notconnect 1 auto auto 10/100BaseTX
Fa0/4 notconnect 1 auto auto 10/100BaseTX
Fa0/5 notconnect 1 auto auto 10/100BaseTX
Fa0/6 notconnect 1 auto auto 10/100BaseTX
Now, from my understanding, this isn’t necessarily a security mechanism. It’s more of a basic switch function; not really knowing what to do with more than 2 mac-address entires being registered on the same switch. Although this isn’t a security control, per se, it does work twofold in ensuring the administrator has proper port control; with a fully populated 6550, this might mean the difference of entire floors, VLANs, or even subnets.
Now, the configuration that will net you the same desired outcome in JUNOS are as follows. Also, yes, I understand that the family ethernet-switching commands are missing. We will also assume we are using the same laptop in the Cisco example.
user@switch# show
interface ge-0/0/0.0 {
mac-limit 1;
persistent-learning;
}
interface ge-0/0/1.0 {
mac-limit 1;
persistent-learning;
}
After verifying the mac-address has been registered persistently.
user@switch> show ethernet-switching table persistent-mac
VLAN MAC address Type Interface
default 00:10:94:00:00:02 installed ge-0/0/0.0
Now comes the strange part, if you change the port, JUNOS automatically migrates the mac-address over to the port it sees the mac-address on next.
user@switch> show ethernet-switching table persistent-mac
VLAN MAC address Type Interface
default 00:10:94:00:00:02 installed ge-0/0/1.0
I’m not sure if this was the design goal, but from someone who is in a heavy transition to Juniper, I find this shortcoming a big deal since 802.1X is not yet feasible in our environment.
What have others done? Has anyone else found a way around this dynamically?
Best Answer
I am not too familar with Juniper switches, but I am sure it supports Local RADIUS server (i.e. the RADIUS server running on the switch itself) and MAC authentication. In fact, using the local RADIUS server and MAC authentication would have been my first choice in your situation rather than trying to mimic the proprietary behaviour of Cisco devices. What's the reason for not being able to use 802.1x? Do the clients not support it?