Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks

Requirements

• One QFX3500 switch
• Junos OS Release 12.1 or later for the QFX Series
• A DHCP server to provide IP addresses to network devices on the switch

• Connected the DHCP server to the switch.
• Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch against one common type of attack, a DHCP starvation attack.

This example shows how to configure port security features on a switch that is connected to a DHCP server.

The setup for this example includes the VLAN employee-vlan on the switch. Figure 1 illustrates the topology for this example.

Figure 1: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 1.

In this example, the switch has already been configured as follows:

• Secure port access is activated on the switch.
• No MAC limit is set on any of the interfaces.
• DHCP snooping is disabled on the VLAN employee-vlan.
• All access interfaces are untrusted, which is the default setting.

Configuration

To configure the MAC limiting port security feature to protect the switch against DHCP starvation attacks:

CLI Quick Configuration

To quickly configure MAC limiting, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
   [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/1 mac-limit (Access Port Security) 3 action drop
2. Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
   [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 mac-limit 3 action drop

Results

Check the results of the configuration:

Verification

Confirm that the configuration is working properly.

Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose

Verify that MAC limiting is working on the switch.

Action

Ethernet-switching table:  7 entries, 6 learned

  VLAN           MAC address         Type         Age    Interfaces

  default        *                   Flood          -    ge-0/0/2.0
  default        00:05:85:3A:82:77   Learn          0    ge-0/0/1.0
  default        00:05:85:3A:82:79   Learn          0    ge-0/0/1.0
  default        00:05:85:3A:82:80   Learn          0    ge-0/0/1.0
  default        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  default        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  default        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  

Meaning

The sample output shows that with a MAC limit of 3 for each interface, the DHCP request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit.

Because only 3 MAC addresses can be learned on each of the two interfaces, attempted DHCP starvation attacks fail.