- Download
Software
- Research a
Problem - Case Management
- Communities and Forums
- Contract & Product Management
- Technical Documentation Advanced Search
- Documentation Feedback Form
- Documentation Symbols Key
- End-of-Life Products
- Guidelines and Policies
- Security Resources
Juniper was the first North American IP routing vendor to achieve the prestigious TL 9000 certification by the Quality of Excellence for Suppliers of Telecommunications (QuEST) Forum in the router category, for design, development, provision and service and support.
What is J-Care?
It's the world-class service and support that you expect from a company that delivers the industry's best infrastructure and security products. With J-Care, you now have the confidence knowing that Juniper will do our part to keep you on top of the world!
- Download PDFs
-
Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting for EX-series Switches Overview
- Related Topics
- Security Features for EX-series Switches Overview
- Understanding DHCP Snooping for Port Security on EX-series Switches
- Understanding DAI for Port Security on EX-series Switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
- Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
- Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch
- Configuring Port Security (CLI Procedure)
- Configuring Port Security (J-Web Procedure)
Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting for EX-series Switches Overview
Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Port security features such as DHCP snooping, DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as trusted DHCP server, help protect the access ports on your switch against the losses of information and productivity that can result from such attacks.
JUNOS software on EX-series switches provides features to help secure ports on the switch. The ports can be categorized as either trusted or untrusted. You apply policies appropriate to those categories to protect against various types of attacks.
Port security features can be turned on to obtain the most robust port security level. Basic port security features are enabled in the switch's default configuration. You can configure additional features with minimal configuration steps.
Port security features on EX-series switches are:
- DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database). You enable this feature on VLANs.
- Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. You enable this feature on VLANs.
- MAC limiting—Protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports).
- MAC move limiting—Detects MAC movement and MAC spoofing on access ports. Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. You enable this feature on VLANs.
- Trusted DHCP server—With a DHCP server on a trusted port, protects against rogue DHCP servers sending leases. You enable this feature on interfaces (ports). By default, access ports are untrusted and trunk ports are trusted. (Access ports are the switch ports that connect to Ethernet endpoints such as user PCs and laptops, servers, and printers. Trunk ports are the switch ports that connect to other Ethernet switches or to routers.)