Supported Platforms
Related Documentation
- EX Series
- Configuring Port Security (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- Port Security Overview
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- secure-access-port
Configuring Port Security (CLI Procedure)
Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Port security features such as DHCP snooping, DAI (dynamic ARP inspection), MAC limiting, MAC move limiting, and persistent MAC learning, as well as trusted DHCP server, help protect the access ports on the switch against the losses of information and productivity that can result from such attacks.
Depending on the particular feature, you can configure the port security feature either on:
- VLANs—A specific VLAN or all VLANs
- Interfaces—A specific interface or all interfaces
 | Note: If you configure one of the port security features on all VLANs or all interfaces, the switch software enables that port security feature on all VLANs and all interfaces that are not explicitly configured with other port security features. However, if you do explicitly configure one of the port security features on a specific VLAN or on a specific interface, you must explicitly configure any additional port security features that you want to apply to that VLAN or interface. Otherwise, the switch software automatically applies the default values for the feature. For example, if you disable DHCP snooping on all VLANs and decide to explicitly enable IP source guard only on a specific VLAN, you must also explicitly enable DHCP snooping on that specific VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN. |
To configure port security features using the CLI:
- Enabling DHCP Snooping
- Enabling Dynamic ARP Inspection (DAI)
- Limiting Dynamic MAC Addresses on an Interface
- Enabling Persistent MAC Learning on an Interface
- Limiting MAC Address Movement
- Configuring Trusted DHCP Servers on an Interface
Enabling DHCP Snooping
You can configure DHCP snooping to allow the device to monitor DHCP messages received, ensure that hosts only use the IP addresses assigned to them, and allow access only to authorized DHCP servers.
To enable DHCP snooping:
- On a specific VLAN:
[edit vlans forwarding-options dhcp-security]
user@switch# set vlan default examine-dhcp - On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all examine-dhcp
Enabling Dynamic ARP Inspection (DAI)
You can enable DAI to protect against ARP snooping. To enable DAI:
- On a single VLAN (here, the VLAN is employee-vlan):
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan arp-inspection - On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection
Limiting Dynamic MAC Addresses on an Interface
Limit the number of dynamic MAC addresses allowed on an interface and specify the action to take if the limit is exceeded—for example, set a MAC limit of 5 with an action of drop:
- On a single interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 5 action drop - On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all mac-limit 5 action drop
You can also specify the actions log (do not drop the packet but generate an alarm, an SNMP trap, or a system log entry), none (no action), or shutdown (disable the interface and generate an alarm) to occur if the number of dynamic MAC addresses is exceeded.
Enabling Persistent MAC Learning on an Interface
You can configure learned MAC addresses to persist on an interface across restarts of the switch:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 persistent-learningLimiting MAC Address Movement
You can limit the number of times a MAC address can move from its original interface in 1 second—for example, set a MAC move limit of 5 with an action of drop if the limit is exceeded:
- On a single VLAN (here, the VLAN is employee-vlan):
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan mac-move-limit 5 action drop - On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all mac-move-limit 5 action drop
You can also specify the actions log (do not drop the packet but generate an alarm, an SNMP trap, or a system log entry), none (no action), or shutdown (disable the interface or VLAN and generate an alarm) to occur if the MAC address moves more than the specified number of times in 1 second.
Configuring Trusted DHCP Servers on an Interface
Configure a trusted DHCP server on an interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 dhcp-trusted Related Documentation
- EX Series
- Configuring Port Security (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- Port Security Overview
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- secure-access-port
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX Series
- Configuring Port Security (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- Port Security Overview
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- secure-access-port
