Supported Platforms
Related Documentation
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests from new MAC addresses that the Ethernet switching table fills up and then overflows, forcing the switch to broadcast all messages.
This example describes how to configure MAC limiting and allowed MAC addresses, two port security features, to protect the switch from Ethernet switching table attacks:
Requirements
This example uses the following hardware and software components:
- One EX Series switch or QFX3500 switch
- Junos OS Release 9.0 or later for EX Series switches or Junos OS 12.1 or later for the QFX Series.
- A DHCP server to provide IP addresses to network devices on the switch
Before you configure specific port security features to mitigate common access-interface attacks, be sure you have:
- Connected the DHCP server to the switch.
- Configured a VLAN on the switch. See the task for your platform:
Overview and Topology
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from an attack on the Ethernet switching table that causes the table to overflow and thus forces the switch to broadcast all messages.
This example shows how to configure port security features on a switch connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic Example: Setting Up Bridging with Multiple VLANs for EX Series Switches and Example: Setting Up Bridging with Multiple VLANs for the QFX Series. That procedure is not repeated here. Figure 1 illustrates the topology for this example.
Figure 1: Network Topology for Basic Port Security
The components of the topology for this example are shown in Table 1.
Table 1: Components of the Port Security Topology
| Properties | Settings |
|---|---|
Switch hardware | One EX Series switch or one QFX3500 switch |
VLAN name and ID | employee-vlan, tag 20 |
VLAN subnets | 192.0.2.16/28 |
Interfaces in employee-vlan | ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8 |
Interface for DHCP server | ge-0/0/8 |
In this example, use the MAC limit feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface. Use the allowed MAC addresses feature to ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table.
In this example, the switch has already been configured as follows:
- Secure port access is activated on the switch.
- No MAC limit is set on any of the interfaces.
- All access interfaces are untrusted, which is the default setting.
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch against Ethernet switching table overflow attacks:
CLI Quick Configuration
To quickly configure MAC limiting, clear the MAC forwarding table, and configure some allowed MAC addresses, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
exit
exit
clear ethernet-switching-table
interface ge-0/0/1Step-by-Step Procedure
Configure MAC limiting and some allowed MAC addresses:
- Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with different addresses be dropped
once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 4 action drop - Clear the current entries for interface ge-0/0/1 from
the MAC address forwarding table :
user@switch# clear ethernet-switching-table interface ge-0/0/1 - Configure the allowed MAC addresses on ge-0/0/2:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch
Purpose
Verify that MAC limiting is working on the switch.
Action
Display the MAC cache information after DHCP requests have been sent from hosts on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after four allowed MAC addresses have been configured on interface ge/0/0/2:
user@switch> show ethernet-switching table
Ethernet-switching table: 5 entries, 4 learned
VLAN MAC address Type Age Interfaces employee-vlan 00:05:85:3A:82:71 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:74 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0 employee-vlan * Flood 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0 employee-vlan * Flood - ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 4 for the interface, the DHCP request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the MAC limit and that only the specified allowed MAC addresses have been learned on the ge-0/0/2 interface.
