Hi,
I suggest you to configure IP Source Guard. This feature, is based on DHCP Snooping (so you have to enable it before....) With IPSG and for each packet (on untrusted port), the swicth will compare the source MAC and IP addresses with DHCP Snooping entries. If the entry exist the switch forward the frame, if not it drop it. If you have some server or management station with static IP, you can add static entry to DHCP Snooping database.
Port Security is generally used to play with MAC address (limit the number on ports, define which address autorised on ports, etc..). I think IPSG is what you search.
Here an exemple :
ethernet-switching-options {
secure-access-port {
interface ge-0/0/0.0 {
/* Your uplink or your DHCP Server. It make the port trusted */
dhcp-trusted;
}
interface ge-0/0/1.0 {
/* Add a static entry to DHCP Snooping DB (Server, MGMT, ....) */
static-ip 192.168.0.X vlan YOURVLAN mac aa:bb:cc:dd:ee:ff;
}
.......
vlan YOURVLAN {
/* Enable DHCP Snooping for this VLAN */
examine-dhcp;
/* Enable IPSG for this VLAN */
ip-source-guard;
}
}
Some docs :
http://www.juniper.net/techpubs/en_US/junos9.3/topics/concept/port-security-ip-source-guard.html
http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-security-ip-source-guard-cli.html
https://www.juniper.net/techpubs/en_US/junos12.1/topics/example/port-security-ip-source-guard-plus-other-switch-features.html
I Hope this can help you.