- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring Static DHCP IP Addresses
Configuring Static DHCP IP Addresses for DHCP snooping (ELS)
This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Static DHCP IP Addresses for DHCP snooping (non-ELS). For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. These bindings are labeled static in the database, while those bindings that have been added through the process of DHCP snooping are labeled dynamic. Static IPv6 address assignment is also available for DHCPv6. This feature is supported on aggregated Ethernet interfaces.
Before you can perform this procedure, you must configure the VLAN. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).
To configure a static IP address to MAC address (IP-MAC) binding in the DHCP snooping database,
you must first create a group of access interfaces under the [edit vlans
vlan-name forwarding-options dhcp-security] hierarchy. Creating this group automatically
enables DHCP snooping, which is a prerequisite for creating the DHCP snooping
database. On switches that support DHCPv6, creating the group of interfaces will
automatically enable both DHCP and DHCPv6 snooping. Then you can configure a
specific interface within the group to have one or more static IP-MAC address
bindings.
To configure a static IP-MAC address binding in the DHCP snooping database:
- content_copy zoom_out_map
[edit vlans vlan-name forwarding-options dhcp-security] user@switch# set group group-name interface interface-name static-ip ip-address mac mac-address
To configure a static IPv6-MAC address binding in the DHCPv6 snooping database:
- content_copy zoom_out_map
[edit vlans vlan-name forwarding-options dhcp-security] user@switch# set group group-name interface interface-name static-ipv6 ip-address mac mac-address
In the following example, a device with static IP allocation is connected to the ge-0/0/1 interface, which belongs to vlan-A. To configure this device to connect to the external network:
[edit] user@switch# set vlans vlan-A forwarding-options dhcp-security group static-group interface ge-0/0/1 static-ip 10.1.1.6 mac 00:00:00:44:44:06
To verify that the configuration is configured on the device:
user@switch> show configuration vlans vlan-A
vlan-id 100;
forwarding-options {
dhcp-security {
ip-source-guard;
group static-group {
interface ge-0/0/1 {
static-ip 10.1.1.6 mac 00:00:00:44:44:06
}
}
}
}
To verify that a binding entry is created for the static client:
user@switch> show dhcp-security binding
IP address MAC address Vlan Expires State Interface
10.1.1.6 00:00:00:44:44:06 vlan-A 0 STATIC ge-0/0/1
See Also
Configuring Static DHCP IP Addresses for DHCP snooping (non-ELS)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. These bindings are labeled static in the database, while those bindings that have been added through the process of DHCP snooping are labeled dynamic.
This task uses Junos OS for EX Series switches that do not support Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does support ELS, see Configuring Static DHCP IP Addresses for DHCP snooping (ELS). For ELS details, see Using the Enhanced Layer 2 Software CLI.
To configure a static IP-MAC address binding in the DHCP snooping database:
[edit ethernet-switching-options secure-access-port] user@switch# set interface interface-name static-ip ip-address vlan data-vlan mac mac-address
To configure a static IP-MAC address binding in the DHCPv6 snooping database:
[edit ethernet-switching-options secure-access-port] user@switch# set interface interface-name static-ipv6 ip-address vlan data-vlan mac mac-address
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command
at the user prompt.
See Also
Configuring Static DHCP IP Addresses for DHCP snooping (MX routers)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. These bindings are labeled as static in the database, while those bindings that have been added through the process of DHCP snooping are labeled dynamic.
To configure a static IP address/MAC address binding in the DHCP snooping database, you must
first create a group of access interfaces under [edit bridge-domains
bridge-domain-name forwarding-options dhcp-security]. Creating this group automatically enables
DHCP snooping, which is a prerequisite for creating the DHCP snooping database. The
following procedure shows the configuration in two steps, but it can be done in one.
You can then configure a specific interface within the group to have one or more
static IP-MAC address bindings.
To configure a static IP address and MAC address binding in the DHCP snooping database:
