Configure port security features, including MAC limiting,
dynamic ARP inspection, whether interfaces can receive DHCP responses, DHCP snooping, IP source guard, DHCP option 82, MAC move limiting, and FIP snooping.
| MAC Spoofing/ Flooding | |
|---|---|
| Mac learning limit | set switch-options Finance-users interface-mac-limit 2 set switch-options Finance-users interface-mac-limit 2 packet-action shutdown or set switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log drop any pack from new mac address or @ VLAN Level set vlans IT-Ops switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log switch-options ( preferred ) > vlans switch-options |
| Mac Move Limit | set vlans IT_ops switch-options mac-move-limit 1 packet-action drop-and-log mac-move-limit 1 ( per sec ) |
clear / automatic recovery: recovery-timeout set interface-range Finance-users unit 0 ethernet-switching recovery-timeout 1800 (sec / 30 mins ) set interface-range Finance-users unit 0 ethernet-switching mac-move-limit 1 packet-action drop-and-log | |
learn only a specific mac address ( IPcam, printer, HW server: set interfaces ge-0/0/10 unit 0 accept-source-mac mac-address < mac@ of the host > | |
Persistent Learning | dynamic learning of a mac address ( stay even after a reboot ) set interface-range Finance-users persistent-learning |
| can't be use with 802.1x | |
| Rogue DHCP Server | |
| DHCP Snooping | |
| ARP poisoning / Spoofing | |
| Dynamic ARP Inspection | |
...