Port Security Overview

Juniper Networks Junos operating system (Junos OS) provides features to help secure ports on the switch. Ports can be categorized as either trusted or untrusted. You apply policies appropriate to each category to protect ports against various types of attacks.

Basic port security features are enabled in the switch's default configuration. You can configure additional features with minimal configuration steps.

Depending on the particular feature, you can configure the feature either on:

• VLANs—A specific VLAN or all VLANs
• Interfaces—A specific interface or all interfaces

Note: If you configure one of the port security features on all VLANs or all interfaces, those port security features are thereby enabled on all VLANs or all interfaces that are not explicitly configured with other port security features. However, if you explicitly configure one of the port security features on a specific VLAN or on a specific interface, you must explicitly configure any additional port security features that you want to apply to that VLAN or interface. Otherwise, the switch software automatically applies the default values for the other port security features. For example, if you enable DHCP snooping on all VLANs and enable IP source guard (not supported on the QFX Series switch) only on a specific VLAN, you must also explicitly enable DHCP snooping on that specific VLAN. If you do not explicitly enable DHCP snooping on that VLAN, the default value of no DHCP snooping applies to it.

• DHCP option 82—Also known as the DHCP relay agent information option. This feature helps protect the switch against attacks such as spoofing of IP addresses and media access control (MAC) addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.
• DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP address/MAC address binding database (called the DHCP snooping database). You enable this feature on VLANs.
• Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. You enable this feature on VLANs.
• IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet LAN. With IP source guard enabled, the source IP address in the packet sent from an untrusted access interface is validated against the source MAC address in the DHCP snooping database. The packet is forwarded if the source IP address to source MAC address binding is valid; if the binding is not valid, the packet is discarded. You enable this feature on VLANs.

  Note: IP source guard is not supported on the QFX Series.

• MAC limiting—Protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You can enable this feature on:
  • Access interfaces (ports)
  • Access interface based on its membership within a specific VLAN

  Note: You can configure a MAC limit on a VLAN in the [edit vlans] hierarchy. However, configuring the MAC limit on a VLAN does not provide protection against flooding of the Ethernet switching table. When incoming packets exceed the MAC limit on a VLAN, the event is logged, but the packets are not dropped. No other action can be configured. Therefore, setting the MAC limit on a VLAN is not considered a port security feature.

• MAC move limiting—Tracks MAC movement and detects MAC spoofing on access ports. You enable this feature on VLANs.
• Persistent MAC learning—Also known as sticky MAC. Persistent MAC learning allows dynamically learned MAC addresses to persist through switch reboots. You enable this feature on interfaces.
• Trusted DHCP server—Configuring the DHCP server on a trusted port protects against rogue DHCP servers sending leases. You enable this feature on interfaces (ports). By default, access ports are untrusted, and trunk ports are trusted. (Access ports are the switch ports that connect to Ethernet endpoints such as user PCs and laptops, servers, and printers. Trunk ports are the switch ports that connect to other Ethernet switches or to routers.)