Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Configure port security features, including MAC limiting,

dynamic ARP inspection, whether interfaces can receive DHCP responses, DHCP snooping, IP source guard, DHCP option 82, MAC move limiting, and FIP snooping.


MAC Spoofing/ Flooding
Mac learning limit

set switch-options Finance-users interface-mac-limit 2

set switch-options Finance-users interface-mac-limit 2 packet-action shutdown

or

set switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log

drop any pack from new mac address

or @ VLAN Level

set vlans IT-Ops switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log


switch-options ( preferred ) > vlans switch-options


Mac Move Limit

set vlans IT_ops switch-options mac-move-limit 1 packet-action drop-and-log


mac-move-limit 1 ( per sec )



clear / automatic recovery:  recovery-timeout

set interface-range Finance-users unit 0 ethernet-switching recovery-timeout 1800 (sec / 30 mins )

set interface-range Finance-users unit 0 ethernet-switching mac-move-limit 1 packet-action drop-and-log



learn only a specific mac address ( IPcam, printer, HW server:


set interfaces ge-0/0/10 unit 0 accept-source-mac mac-address < mac@ of the host >


Persistent Learning

Link

dynamic learning of a mac address ( stay even after a reboot )

set interface-range Finance-users persistent-learning



to remove the Mac@ and start dynamically relearning a new mac@:

clear ethernet-switching table


can't be use with 802.1x



show ethernet-switching table

>> Flags:
         D : dynamic and
         P: persistent static or
         S Static


show ethernet-switching interface ge-0/0/1

>> Interface flag:
             LH:  mac@ Limit  Hit and
            AD packet Action Drop


show log messages | match MAC_LIMIT


Rogue DHCP Server
trusted port to DHCP server

set vlans Finance vlan-id 10

set vlans Finance l3-interface irb.10

set vlans Finance forwarding-options dhcp-security P group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security P group DHCP-server interface ge-0/0/0.0

DHCP Snooping


ARP poisoning / Spoofing
Dynamic ARP Inspection


...