Junos OS

Expand all | Collapse all

EX-Series with ELS - Port Security features

Jump to Best Answer
  • 1.  EX-Series with ELS - Port Security features

    Posted 06-20-2019 03:00

    Hello Community,

     

    I have some questions regarding Port Security features on EX-Series devices. 

    I want to bind one specific MAC-Address to one interface. Only the one device with the configured MAC-Address should be able to access the network.

     

    I have tried the following configuration:

     

    ge-0/0/2 {
    unit 0 {
    accept-source-mac {
    mac-address xx:xx:xx:xx:xx:xx; (xx:xx ... its just a placeholder, I have configured the correct MAC)
    }
    family ethernet-switching {
    vlan {
    members client_23;
    }
    storm-control default;
    }
    }
    }

     

    This configuration works, if I give the client a static IP. If I configure the client for dhcp it gets an APIPA.

    Do I have to configure more, so that DHCP works too?

     

    -----------------------------------------------------

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/understanding_and_using_persistent_mac_learning.html

     

    In addition to that I tried "Sticky Mac/Persistent MAC Learning". Here is the configuration I used:

     

    ge-0/0/2 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members client_23;
    }
    storm-control default;
    }
    }
    }

     

    ...

     

    switch-options {
    interface ge-0/0/2.0 {
    interface-mac-limit {
    1;
    packet-action drop;
    }
    persistent-learning;
    }
    }

     

    After this configuration the Switch stores only the one MAC from the connected device. But still, DHCP does not work and a static IP works.

     

     

    Device informations:

    EX2300-24t

    Junos Version 15.1 x53 d58

     

    Best regards and thank you,

    Julian 



  • 2.  RE: EX-Series with ELS - Port Security features
    Best Answer

     
    Posted 06-20-2019 03:14
    Hi Julian,

    When using DHCP, configure the access ports on which the DHCP server and the client as DHCP trusted to accepted the DHCP server packets. By default, all the trunk ports are trusted and access ports are untrusted blocking the DHCP server messages.

    https://www.juniper.net/documentation/en_US/junos/topics/example/overview-port-security.html

    Regards,
    Pradeep Kumar




    Juniper Internal


  • 3.  RE: EX-Series with ELS - Port Security features

    Posted 06-20-2019 04:13

    Hey Pradeep Kumar,

     

    I cant find the correct configuration to enable the specific port to accept packets from our DHCP server - can you provide an example for a Device with ELS?

     

    The thing is - we never configured any access port to accept packets from our DHCP server - it just works without the additional configuration you mentioned.

     

    Do I need the additional configuration only if I use additional security measures, such as sticky MAC or port security?

     

    Thank you an best regards,

    Julian 

     

     

    EDIT:

     

    Okay, so I tested some of the informations you provided me and it seemed to work - thank you very much!

     

    This is the current configuration in order to allow only one specific MAC to communicate over an interface (and DHCP works like a charm):

     

    ge-0/0/2 {
    unit 0 {
    accept-source-mac {
    mac-address aa:bb:cc:dd:ee:ff;
    }
    family ethernet-switching {
    vlan {
    members client_23;
    }
    storm-control default;
    }
    }
    }

     

    ....

     

    vlans {

    client_23 {
    vlan-id 23;
    forwarding-options {
    dhcp-security {
    group trust_dhcp {
    interface ge-0/0/2.0;
    }
    }
    }
    }

    }

     

    Thank you and Best regards,

    Julian