Troubleshooting Port Security
Troubleshooting issues for port security on EX Series switches:
MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table
Description: You see log messages telling you that the MAC limit or MAC move limit has been exceeded, but the specific offending MAC addresses that have been exceeding the limit are not listed in the Ethernet switching table.
- Set the MAC limit or MAC move limit action to log.
[edit ethernet-switching-options secure-access port]
user@switch# set interface ge-0/0/2 mac-limit 5 action log
- Allow some MAC address requests to come in.
- View the entries in the Ethernet switching table:
user@switch> show ethernet-switching table
Multiple DHCP Server Packets Have Been Received on Untrusted Interfaces
You see log messages that DHCP server packets were received on an untrusted interface—for example:
5 untrusted DHCPOFFER received, interface ge-0/0/0.0, vlan v1 server ip/mac 192.0.2.1/00:00:00:00:01:12 offer ip/client mac 192.0.2.2/00:AA:BB:CC:DD:01
These messages can signal the presence of a malicious DHCP server on the network.
Configure a firewall filter to block the IP address or MAC address of the malicious DHCP server. See Configuring Firewall Filters (CLI Procedure).