Configure port security features, including MAC limiting,
dynamic ARP inspection, whether interfaces can receive DHCP responses, DHCP snooping, IP source guard, DHCP option 82, MAC move limiting, and FIP snooping.
MAC Spoofing/ Flooding | |
---|---|
Mac learning limit | set switch-options Finance-users interface-mac-limit 2 set switch-options Finance-users interface-mac-limit 2 packet-action shutdown or set switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log drop any pack from new mac address or @ VLAN Level set vlans IT-Ops switch-options Finance-users interface-mac-limit 2 packet-action drop-and-log switch-options ( preferred ) > vlans switch-options |
Mac Move Limit | set vlans IT_ops switch-options mac-move-limit 1 packet-action drop-and-log mac-move-limit 1 ( per sec ) |
clear / automatic recovery: recovery-timeout set interface-range Finance-users unit 0 ethernet-switching recovery-timeout 1800 (sec / 30 mins ) set interface-range Finance-users unit 0 ethernet-switching mac-move-limit 1 packet-action drop-and-log | |
learn only a specific mac address ( IPcam, printer, HW server: set interfaces ge-0/0/10 unit 0 accept-source-mac mac-address < mac@ of the host > | |
Persistent Learning | dynamic learning of a mac address ( stay even after a reboot ) set interface-range Finance-users persistent-learning |
to remove the Mac@ and start dynamically relearning a new mac@: clear ethernet-switching table | |
can't be use with 802.1x | |
show ethernet-switching table >> Flags: | |
show ethernet-switching interface ge-0/0/1 >> Interface flag: show log messages | match MAC_LIMIT | |
Rogue DHCP Server | |
trusted port to DHCP server | set vlans Finance vlan-id 10 set vlans Finance l3-interface irb.10 set vlans Finance forwarding-options dhcp-security P group DHCP-server overrides trusted set vlans Finance forwarding-options dhcp-security P group DHCP-server interface ge-0/0/0.0 |
DHCP Snooping | |
ARP poisoning / Spoofing | |
Dynamic ARP Inspection | |
...