Junos
Junos

EX-Series with ELS - Port Security features

‎06-20-2019 03:00 AM

Hello Community,

 

I have some questions regarding Port Security features on EX-Series devices. 

I want to bind one specific MAC-Address to one interface. Only the one device with the configured MAC-Address should be able to access the network.

 

I have tried the following configuration:

 

ge-0/0/2 {
unit 0 {
accept-source-mac {
mac-address xx:xx:xx:xx:xx:xx; (xx:xx ... its just a placeholder, I have configured the correct MAC)
}
family ethernet-switching {
vlan {
members client_23;
}
storm-control default;
}
}
}

 

This configuration works, if I give the client a static IP. If I configure the client for dhcp it gets an APIPA.

Do I have to configure more, so that DHCP works too?

 

-----------------------------------------------------

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/understanding_and_using_persisten...

 

In addition to that I tried "Sticky Mac/Persistent MAC Learning". Here is the configuration I used:

 

ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members client_23;
}
storm-control default;
}
}
}

 

...

 

switch-options {
interface ge-0/0/2.0 {
interface-mac-limit {
1;
packet-action drop;
}
persistent-learning;
}
}

 

After this configuration the Switch stores only the one MAC from the connected device. But still, DHCP does not work and a static IP works.

 

 

Device informations:

EX2300-24t

Junos Version 15.1 x53 d58

 

Best regards and thank you,

Julian 

2 REPLIES 2
Junos
Solution
Accepted by topic author Julian_V
‎06-20-2019 04:58 AM

Re: EX-Series with ELS - Port Security features

‎06-20-2019 03:13 AM
Hi Julian,

When using DHCP, configure the access ports on which the DHCP server and the client as DHCP trusted to accepted the DHCP server packets. By default, all the trunk ports are trusted and access ports are untrusted blocking the DHCP server messages.

https://www.juniper.net/documentation/en_US/junos/topics/example/overview-port-security.html

Regards,
Pradeep Kumar




Juniper Internal
Junos

Re: EX-Series with ELS - Port Security features

[ Edited ]
‎06-20-2019 04:13 AM

Hey Pradeep Kumar,

 

I cant find the correct configuration to enable the specific port to accept packets from our DHCP server - can you provide an example for a Device with ELS?

 

The thing is - we never configured any access port to accept packets from our DHCP server - it just works without the additional configuration you mentioned.

 

Do I need the additional configuration only if I use additional security measures, such as sticky MAC or port security?

 

Thank you an best regards,

Julian 

 

 

EDIT:

 

Okay, so I tested some of the informations you provided me and it seemed to work - thank you very much!

 

This is the current configuration in order to allow only one specific MAC to communicate over an interface (and DHCP works like a charm):

 

ge-0/0/2 {
unit 0 {
accept-source-mac {
mac-address aa:bb:cc:dd:ee:ff;
}
family ethernet-switching {
vlan {
members client_23;
}
storm-control default;
}
}
}

 

....

 

vlans {

client_23 {
vlan-id 23;
forwarding-options {
dhcp-security {
group trust_dhcp {
interface ge-0/0/2.0;
}
}
}
}

}

 

Thank you and Best regards,

Julian