Ethernet Switching
Highlighted
Ethernet Switching

EX 3400 V15.X ports security on access points

[ Edited ]
‎05-15-2019 05:40 AM

For port with single device like printer or end host I would use:

 

These would be the commands to enable port security for EX3400 for more than one MAC Address:
 
set interfaces ge-1/0/4 unit 0 accept-source-mac mac-address 00:00:00:14:25:25
set interfaces ge-1/0/4 unit 0 accept-source-mac mac-address 00:00:00:14:25:26
set interfaces ge-1/0/4 unit 0 accept-source-mac mac-address 00:00:00:14:30:54
set interfaces ge-1/0/4 unit 0 accept-source-mac mac-address 00:00:15:14:30:56
set interfaces ge-1/0/4 unit 0 accept-source-mac mac-address 00:00:15:14:30:57
set interfaces ge-1/0/4 unit 0 family ethernet-switching vlan members MGMT
 
You can configured at interface or vlan level.
set switch-options interface ge-1/0/4.0 interface-mac-limit 2
set switch-options interface ge-1/0/4.0 interface-mac-limit packet-action drop
 
set vlans MGMT switch-options interface ge-1/0/4.0 interface-mac-limit 3
set vlans MGMT switch-options interface ge-1/0/4.0 interface-mac-limit packet-action drop-and-log

 but what about if I want to secure port for access points? This configuration deos not make sence. is there better way? Thank you

4 REPLIES 4
Ethernet Switching

Re: EX 3400 V15.X ports security on access points

‎05-15-2019 06:58 AM

Not sure what "port security" you want or need for AP connections, but I know for Juniper MIST product, they recommend NOT using MAC Limit for AP connections.

 

FYI

Ethernet Switching

Re: EX 3400 V15.X ports security on access points

‎06-06-2019 08:02 AM
Ethernet Switching

Re: EX 3400 V15.X ports security on access points

‎06-07-2019 01:21 AM
Hi, Assuming there is no DHCP in your case, allowed source MAC addresses and MAC limit are the only two options available to configure as Port Security for an access port irrespective of the other end being a single device or an access point. https://www.juniper.net/documentation/en_US/junos9.3/topics/example/port-security-configuring.html The above document might help with clear understanding of the Port Security with an example. The commands are based on nonELS though and hence might be different. Refer to https://www.juniper.net/documentation/en_US/junos/topics/example/overview-port-security.html#id-exam... for configuration on latest ELS Junos. Thanks, Pradeep.
Ethernet Switching

Re: EX 3400 V15.X ports security on access points

‎06-07-2019 03:38 AM
Hi, I believe you can use dot1x authentication for the ports. its port-based network access control (PNAC) authentication on EX Series switches provides three types of authentication to meet the access needs of your enterprise LAN: Authenticate the first end device (supplicant) on an authenticator port, and allow all other end devices also connecting to have access to the LAN. Authenticate only one end device on an authenticator port at one time. Authenticate multiple end devices on an authenticator port. Multiple supplicant mode is used in VoIP configurations. Please follow below kb for the same. https://kb.juniper.net/InfoCenter/index?page=content&id=KB24293&actp=METADATA&act=login