Table of Contents
Advertisement
Complete Software Guide for Junos
Table 406: Components of the Port Security Topology
Properties
Switch hardware
VLAN name and ID
VLAN subnets
Interfaces in
employee-vlan
Interface for DHCP server
Configuration
CLI Quick
Configuration
Step-by-Step
Procedure
Results
3092
®
OS for EX Series Ethernet Switches, Release 10.4
Settings
One EX3200-24P, 24 ports (8 PoE ports)
employee-vlan
192.0.2.16/28
192.0.2.17
192.0.2.31
ge-0/0/1
ge-0/0/8
In this example, the switch has already been configured as follows:
Secure port access is activated on the switch.
DHCP snooping is disabled on the VLAN
All access ports are untrusted, which is the default setting.
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch
against ARP attacks:
To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the following
commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan examine-dhcp
set vlan employee-vlan arp-inspection
Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
Set the
ge-0/0/8
interface as trusted:
1.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/8 dhcp-trusted
Enable DHCP snooping on the VLAN:
2.
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan examine-dhcp
Enable DAI on the VLAN:
3.
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan arp-inspection
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
, tag
20
through
192.0.2.30
is subnet's broadcast address
,
,
,
ge-0/0/2
ge-0/0/3
ge-0/0/8
employee-vlan
.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
