TechLibrary

Navigation

Supported Platforms

Example: Configuring Basic Port Security Features

You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting, persistent MAC learning, and MAC move limiting on the access ports of switches to protect the switches and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. You can also configure a trusted DHCP server and specific (allowed) MAC addresses for the switch interfaces.

This example describes how to configure basic port security features on a switch:

Requirements

This example uses the following hardware and software components:

One EX Series switch or one QFX3500 switch
Junos OS Release 11.4 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series
A DHCP server to provide IP addresses to network devices on the switch

Before you configure basic port security features, be sure you have:

Connected the DHCP server to the switch.
Configured a VLAN on the switch. See the task for your platform:
- Configuring VLANs for EX Series Switches (CLI Procedure)
- Configuring VLANs for the QFX Series

Note: In this example, the DHCP server and its clients are all members of a single VLAN on the switch.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure:

DHCP snooping to validate DHCP server messages
DAI to protect against MAC spoofing
MAC limiting to constrain the number of MAC addresses the switch adds to its MAC address cache
MAC move limiting to help prevent MAC spoofing
Persistent MAC learning (sticky MAC) to constrain the MAC addresses that can be learned on an interface to the first ones learned, even after a reboot of the switch
Trusted DHCP server configured on a trusted port to protect against rogue DHCP servers sending leases

This example shows how to configure these security features on a switch connected to a DHCP server.

The setup for this example includes the VLAN employee-vlan on the switch. Figure 1 illustrates the topology for this example.

Figure 1: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 1.

Table 1: Components of the Port Security Topology

Properties	Settings
Switch hardware	One EX Series switch or one QFX3500 switch
VLAN name and ID	employee-vlan, tag 20
VLAN subnets	192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan	ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
Interface for DHCP server	ge-0/0/8

In this example, the switch is initially configured with the default port security setup. In the default switch configuration:

Secure port access is activated on the switch.
DHCP snooping and DAI are disabled on all VLANs.
All access ports are untrusted, and all trunk ports are trusted for DHCP snooping.

In the configuration tasks for this example, you set the DHCP server as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a VLAN; you set a value for a MAC limit on some interfaces; you configure some specific (allowed) MAC addresses on an interface; and you configure persistent MAC learning on an interface.

Configuration

To configure basic port security on a switch whose DHCP server and client ports are in a single VLAN:

CLI Quick Configuration

To quickly configure basic port security on the switch, copy the following commands and paste them into the switch terminal window:

[edit ethernet-switching-options secure-access-port]
                         set interface ge-0/0/1 mac-limit
4
                         set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
                         set interface
ge-0/0/2 allowed-mac 00:05:85:3A:82:81
                         set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:83
                  
      set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
                         set interface
ge-0/0/2 allowed-mac 00:05:85:3A:82:88
                         set interface ge-0/0/2 mac-limit
4
set interface ge-0/0/1
persistent-learning  
set
interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan arp-inspection
 set vlan employee-vlan examine-dhcp
 set vlan employee-vlan mac-move-limit 5

Step-by-Step Procedure

Configure basic port security on the switch:

Enable DHCP snooping on the VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan examine-dhcp
Specify the interface (port) from which DHCP responses are allowed:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 dhcp-trusted
Enable dynamic ARP inspection (DAI) on the VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan arp-inspection
Configure a MAC limit of 4 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if the MAC limit is exceeded on the interfaces):
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit 4 user@switch# set interface ge-0/0/2 mac-limit 4
Allow learned MAC addresses for a particular interface to persist across restarts of the switch and interface-down events by enabling persistent MAC learning:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 persistent-learning
Configure a MAC move limit of 5 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if a MAC address has exceeded the MAC move limit):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan mac-move-limit 5
Configure allowed MAC addresses:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]user@switch# show

interface ge-0/0/1.0 {mac-limit 4;persistent-learning;}

interface ge-0/0/2.0 {allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85:3a:82:85 00:05:85:3a:82:88 ];mac-limit 4;}

interface ge-0/0/8.0 {dhcp-trusted;}

vlan employee-vlan {arp-inspectionexamine-dhcp;mac-move-limit 5;}

Verification

To confirm that the configuration is working properly:

Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose

Verify that DHCP snooping is working on the switch.

Action

Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.

Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:

user@switch> show dhcp snooping binding

DHCP Snooping Information:
MAC Address         IP Address    Lease    Type     VLAN          Interface

-----------------   ----------    -----    ----     ----          ---------

00:05:85:3A:82:77    192.0.2.17    600    dynamic  employee—vlan   ge-0/0/1.0

00:05:85:3A:82:79    192.0.2.18    653    dynamic  employee—vlan   ge-0/0/1.0

00:05:85:3A:82:80    192.0.2.19    720    dynamic  employee—vlan   ge-0/0/2.0

00:05:85:3A:82:81    192.0.2.20    932    dynamic  employee—vlan   ge-0/0/2.0

00:05:85:3A:82:83    192.0.2.21   1230    dynamic  employee—vlan   ge-0/0/2.0

00:05:85:27:32:88    192.0.2.22   3200    dynamic  employee—vlan   ge-0/0/2.0

Meaning

When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.

If the DHCP server had been configured as untrusted, no entries would be added to the DHCP snooping database, and nothing would be shown in the output of the show dhcp snooping binding command.

Verifying That DAI Is Working Correctly on the Switch

Purpose

Verify that DAI is working on the switch.

Action

Send some ARP requests from network devices connected to the switch.

Display the DAI information:

user@switch> show arp inspection statistics

ARP inspection statistics:
Interface        Packets received  ARP inspection pass   ARP inspection failed
---------------  ---------------   -------------------- ---------------------
ge-0/0/1.0                      7                    5                     2
ge-0/0/2.0                     10                   10                     0
ge-0/0/3.0                     12                   12                     0

Meaning

The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.

Verifying That MAC Limiting, MAC Move Limiting, and Persistent MAC Learning Are Working Correctly on the Switch

Purpose

Verify that MAC limiting, MAC move limiting, and persistent MAC learning are working on the switch.

Action

Suppose that two packets have been sent from hosts on ge-0/0/1 and five packets from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the default action drop and ge-0/0/1 enabled for persistent MAC learning.

Display the MAC addresses learned:

user@switch> show ethernet-switching table

Ethernet-switching table:  7 entries, 4 learned, 2 persistent entries

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        *                   Flood          -    All-members
  employee-vlan        00:05:85:3A:82:77   Persistent     0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:79   Persistent     0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0

Now suppose packets have been sent from two of the hosts on ge-0/0/2 after they have been moved to other interfaces more than five times in 1 second, with employee-vlan set to a MAC move limit of 5 with the default action drop.

Display the MAC addresses in the table:

user@switch> show ethernet-switching table

Ethernet-switching table:  7 entries, 2 learned, 2 persistent entries

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        *                   Flood          -    All-members
  employee-vlan        00:05:85:3A:82:77   Persistent     0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:79   Persistent     0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan        *                   Flood          -    ge-0/0/2.0
  employee-vlan        *                   Flood          -    ge-0/0/2.0

Meaning

The first sample output shows that with a MAC limit of 4 for each interface, the fifth MAC address on ge-0/0/2 was not learned because it exceeded the MAC limit. The second sample output shows that MAC addresses for three of the hosts on ge-/0/0/2 were not learned, because the hosts had been moved back more than five times in 1 second.

Interface ge-0/0/1.0 was enabled for persistent MAC learning, so the MAC addresses associated with this interface are of the type persistent.

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch

Purpose

Verify that allowed MAC addresses are working on the switch.

Action

Display the MAC cache information after five allowed MAC addresses have been configured on interface ge-0/0/2:

user@switch> show ethernet-switching table

Ethernet-switching table:  5 entries, 4 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  employee-vlan        *                   Flood          -    ge-0/0/2.0

Meaning

Because the MAC limit value for this interface has been set to 4, only four of the five configured allowed addresses are learned.

TechLibrary

Supported Platforms

Related Documentation

Example: Configuring Basic Port Security Features

Requirements

Overview and Topology

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose

Action

Meaning

Verifying That DAI Is Working Correctly on the Switch

Purpose

Action

Meaning

Verifying That MAC Limiting, MAC Move Limiting, and Persistent MAC Learning Are Working Correctly on the Switch

Purpose

Action

Meaning

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch

Purpose

Action

Meaning

Related Documentation

Published: 2013-01-17

Supported Platforms

Related Documentation

Published: 2013-01-17