Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 3186

Complete Software Guide for Junos
Table 403: Components of the Port Security Topology (continued)
Properties
Interface for DHCP server
Configuration
CLI Quick
Configuration
Step-by-Step
Procedure
Results
3082
®
OS for EX Series Ethernet Switches, Release 10.4
Settings
ge-0/0/8
In this example, use the MAC limit feature to control the total number of MAC addresses
that can be added to the Ethernet switching table for the specified interface. Use the
allowed MAC addresses feature to ensure that the addresses of network devices whose
network access is critical are guaranteed to be included in the Ethernet switching table.
In this example, the switch has already been configured as follows:
Secure port access is activated on the switch.
No MAC limit is set on any of the interfaces.
All access interfaces are untrusted, which is the default setting.
To configure MAC limiting and some allowed MAC addresses to protect the switch against
Ethernet switching table overflow attacks:
To quickly configure MAC limiting and some allowed MAC addresses, copy the following
commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Configure MAC limiting and some allowed MAC addresses:
Configure a MAC limit of
1.
different addresses be dropped once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 4 action drop
Configure the allowed MAC addresses on
2.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 4 action drop;
}
interface ge-0/0/2.0 {
4 on ge-0/0/1 and specify that incoming packets with
ge-0/0/2
Copyright © 2010, Juniper Networks, Inc.
: