- Downloads
- Troubleshooting Port Security
- Related Topics
- Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX Series Switch
- Verifying That a Trusted DHCP Server Is Working Correctly
- Verifying That MAC Limiting Is Working Correctly
- Enabling a Trusted DHCP Server (CLI Procedure)
- Enabling a Trusted DHCP Server (J-Web Procedure)
- Configuring MAC Limiting (CLI Procedure)
- Configuring MAC Limiting (J-Web Procedure)
Troubleshooting Port Security
Troubleshooting issues for port security on EX Series switches:
No IP Address or Lease Time Is Assigned to DHCP Client MAC Addresses in the DHCP Snooping Database
Problem
DHCP snooping is enabled on the switch, but no IP addresses or lease times are assigned to the DHCP clients when they send requests to the DHCP server. The output of the DHCP snooping database looks similar to the following:
user@switch> show dhcp snooping bindingDHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 0.0.0.0 - dynamic employee ge-0/0/1.0
00:05:85:3A:82:79 0.0.0.0 - dynamic employee ge-0/0/1.0
00:05:85:3A:82:80 0.0.0.0 - dynamic employee ge-0/0/2.0
00:05:85:3A:82:81 0.0.0.0 - dynamic employee ge-0/0/2.0
In the database output sample, the clients' MAC addresses are shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time is shown as a dash – in the Lease column).
Solution
The DHCP clients are sending requests to a DHCP server that is untrusted—that is, the server is connected to the switch through an untrusted interface.
To set the server interface as trusted and obtain IP addresses with leases for the DHCP clients:
- Set the interface as trusted.
[edit ethernet-switching-options secure-access port]
user@switch# set interface ge-0/0/8 examine-dhcp - Send requests from the DHCP clients to the DHCP server.
Now display the DHCP snooping information. Requests were sent from the MAC addresses, and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping bindingDHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 192.0.2.17 600 dynamic employee ge-0/0/1.0
00:05:85:3A:82:79 192.0.2.18 653 dynamic employee ge-0/0/1.0
00:05:85:3A:82:80 192.0.2.19 720 dynamic employee ge-0/0/2.0
00:05:85:3A:82:81 192.0.2.20 932 dynamic employee ge-0/0/2.0
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table
Problem
You see log messages telling you that the MAC limit or MAC move limit has been exceeded, but the specific offending MAC addresses that have been exceeding the limit are not listed in the Ethernet switching table.
Solution
- Set the MAC limit or MAC move limit action
to log.
[edit ethernet-switching-options secure-access port]
user@switch# set interface ge-0/0/2 mac-limit 5 action log - Allow some MAC address requests to come in.
- View the entries in the Ethernet switching table:
user@switch# show ethernet-switching table