Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks

Requirements

• One EX Series switch or QFX3500 switch
• Junos OS Release 9.0 or later for EX Series switches or Junos OS 12.1 or later for the QFX Series.
• A DHCP server to provide IP addresses to network devices on the switch

• Connected the DHCP server to the switch.
• Configured a VLAN on the switch. See the task for your platform:

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from an attack on the Ethernet switching table that causes the table to overflow and thus forces the switch to broadcast all messages.

This example shows how to configure port security features on a switch connected to a DHCP server.

The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic Example: Setting Up Bridging with Multiple VLANs for EX Series Switches and Example: Setting Up Bridging with Multiple VLANs for the QFX Series. That procedure is not repeated here. Figure 1 illustrates the topology for this example.

Figure 1: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 1.

In this example, use the MAC limit feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface. Use the allowed MAC addresses feature to ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table.

In this example, the switch has already been configured as follows:

• Secure port access is activated on the switch.
• No MAC limit is set on any of the interfaces.
• All access interfaces are untrusted, which is the default setting.

Configuration

To configure MAC limiting and some allowed MAC addresses to protect the switch against Ethernet switching table overflow attacks:

CLI Quick Configuration

To quickly configure MAC limiting, clear the MAC forwarding table, and configure some allowed MAC addresses, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with different addresses be dropped once the limit is exceeded on the interface:
   [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 4 action drop

2. Clear the current entries for interface ge-0/0/1 from the MAC address forwarding table :
   user@switch# clear ethernet-switching-table interface ge-0/0/1
3. Configure the allowed MAC addresses on ge-0/0/2:
   [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85


Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly:

• Verifying That MAC Limiting Is Working Correctly on the Switch

Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose

Verify that MAC limiting is working on the switch.

Action

Ethernet-switching table:  5 entries, 4 learned

  VLAN              MAC address         Type         Age    Interfaces

  employee-vlan     00:05:85:3A:82:71   Learn          0    ge-0/0/1.0
  employee-vlan     00:05:85:3A:82:74   Learn          0    ge-0/0/1.0
  employee-vlan     00:05:85:3A:82:77   Learn          0    ge-0/0/1.0
  employee-vlan     00:05:85:3A:82:79   Learn          0    ge-0/0/1.0
  employee-vlan     *                   Flood          0    ge-0/0/1.0
  employee-vlan     00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan     00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan     00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee-vlan     00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  employee-vlan     *                   Flood          -    ge-0/0/2.0

Meaning

The sample output shows that with a MAC limit of 4 for the interface, the DHCP request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the MAC limit and that only the specified allowed MAC addresses have been learned on the ge-0/0/2 interface.