Configuring Layer 2 Port Security Features on Ethernet-Connected End Systems
This section shows how to configure the following Layer 2 port security features. For overview information about these features, see Layer 2 Port Security Features on Ethernet-Connected End Systems in Data Center Fabric Blueprint Architecture Components
Configuring Storm Control
In this sample configuration, storm control rate limits BUM traffic on server-facing aggregated Ethernet interfaces. If the amount of BUM traffic exceeds 6% of the available bandwidth on the interface, storm control drops it to prevent broadcast storms.
To enable storm control:
- Create a storm control profile and specify the percentage
of bandwidth available to BUM traffic. set forwarding-options storm-control-profiles STORM-CONTROL all bandwidth-percentage 6
- Apply the storm control profile to an ingress Layer 2
interface. After you apply the profile to an interface, the interface
resides in the default switch interface. set interfaces ae11 unit 0 family ethernet-switching storm-control STORM-CONTROL
Verifying Storm Control
To verify storm control activity, filter system log messages related to storm control:
user@leaf10> show log messages | match stormSep 27 11:35:34 leaf1-qfx5100 l2ald[1923]: L2ALD_ST_CTL_IN_EFFECT: ae11.0: storm control in effect on the port
Configuring Port Security Using MAC Filtering
To configure MAC filtering, you create firewall filters in which you specify one or more of the supported match conditions. See https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-vxlan-security-monitor.html for a list of match conditions supported on QFX5110 switches and QFX10000 switches. You then apply the firewall filter to a Layer 2 interface.
To configure MAC filtering:
- Create a firewall filter for an ingress interface.set firewall family ethernet-switching filter L2-INGRESS term ARP-REQ from source-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-INGRESS term ARP-REQ from destination-mac-address ff:ff:ff:ff:ff:ff/48set firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST from source-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-INGRESS term ARP-REQ from ether-type arpset firewall family ethernet-switching filter L2-INGRESS term ARP-REQ from user-vlan-id 10set firewall family ethernet-switching filter L2-INGRESS term ARP-REQ then acceptset firewall family ethernet-switching filter L2-INGRESS term ARP-REQ then count ARP-REQ-CNTset firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST from source-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST from destination-mac-address ff:ff:ff:ff:ff:ff/48set firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST from ether-type ipv4set firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST from user-vlan-id 10set firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST then acceptset firewall family ethernet-switching filter L2-INGRESS term V4-BROADCAST then count V4-BROADCAST-CNT-INset firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST from source-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST from destination-mac-address ff:ff:ff:ff:ff:ff/48set firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST from ether-type ipv6set firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST from user-vlan-id 10set firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST then acceptset firewall family ethernet-switching filter L2-INGRESS term V6-BROADCAST then count V6-BROADCAST-CNT-INset firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from source-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from destination-mac-address 00:00:5e:00:00:04/48set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from source-port 1020set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from destination-port 1024set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from ip-source-address 10.0.10.201/32set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from ip-destination-address 10.0.12.201/32set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from ip-protocol tcpset firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 from user-vlan-id 10set firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 then acceptset firewall family ethernet-switching filter L2-INGRESS term PKT_IN_V4 then count V4-PKT-CNT-IN-TCP-FLAG-0x90set firewall family ethernet-switching filter L2-INGRESS term DEF then acceptset firewall family ethernet-switching filter L2-INGRESS term DEF then count DEF_CNT_IN
- Apply the firewall filter to the ingress of an access
interface / Layer 2 interface. set interfaces ae11 unit 0 family ethernet-switching filter input L2-INGRESS
- Create a firewall filter for an egress interface.set firewall family ethernet-switching filter L2-EGRESS term ARP-REP from source-mac-address 00:00:5e:00:00:04/48set firewall family ethernet-switching filter L2-EGRESS term ARP-REP from destination-mac-address be:ef:a2:01:00:0a/48set firewall family ethernet-switching filter L2-EGRESS term ARP-REP from ether-type arpset firewall family ethernet-switching filter L2-EGRESS term ARP-REP from user-vlan-id 10set firewall family ethernet-switching filter L2-EGRESS term ARP-REP then acceptset firewall family ethernet-switching filter L2-EGRESS term ARP-REP then count ARP-REP-CNTset firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST from source-mac-address be:ef:a4:03:00:0c/48set firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST from destination-mac-address ff:ff:ff:ff:ff:ff/48set firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST from ether-type ipv4set firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST from user-vlan-id 12set firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST then acceptset firewall family ethernet-switching filter L2-EGRESS term V4-BROADCAST then count V4-BROADCAST-CNT-OUTset firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST from source-mac-address be:ef:a4:03:00:0c/48set firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST from destination-mac-address ff:ff:ff:ff:ff:ff/48set firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST from ether-type ipv6set firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST from user-vlan-id 12set firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST then acceptset firewall family ethernet-switching filter L2-EGRESS term V6-BROADCAST then count V6-BROADCAST-CNT-OUTset firewall family ethernet-switching filter L2-EGRESS term DEF then acceptset firewall family ethernet-switching filter L2-EGRESS term DEF then count DEF_CNT_OUT
- Apply the firewall filter to the egress interface. set interfaces ae11 unit 0 family ethernet-switching filter output L2-EGRESS
Verifying MAC Filtering
- Verify MAC filtering on the ingress interface.
user@leaf10> show firewall filter L2-INGRESSFilter: L2-INGRESS Counters: Name Bytes Packets ARP-REQ-CNT 640 10 DEF_CNT_IN 44038137 79032 V4-BROADCAST-CNT-IN 0 0 V4-PKT-CNT-IN-TCP 7418880 57960 V6-BROADCAST-CNT-IN 5370880 41960
- Verify MAC filtering on the egress interface.
user@leaf10> show firewall filter L2-EGRESSFilter: L2-EGRESS Counters: Name Bytes Packets ARP-REP-CNT 68 1 DEF_CNT_OUT 17365964 146535 V4-BROADCAST-CNT-OUT 4171264 32588 V6-BROADCAST-CNT-OUT 3147264 24588
Configuring Analyzer-Based Port Mirroring
This section shows how to mirror ingress traffic on an underlay interface to another physical port.
The source and destination ports for mirrored traffic are on the same leaf or same spine.
- Configure an analyzer to mirror ingress traffic on interface
ae1.0.set forwarding-options analyzer A1 input ingress interface ae1.0
- Configure the destination interface for the mirrored packets. set forwarding-options analyzer A1 output interface et-0/0/71.0
- Configure the interface that connects to another switch
(the uplink interface) to trunk mode and associate it with the appropriate
VLAN. set interfaces et-0/0/71 unit 0 family ethernet-switching interface-mode trunkset interfaces et-0/0/71 unit 0 family ethernet-switching vlan members all
Verifying Port Mirroring
To verify port mirroring:
host> show forwarding-options analyzer Analyzer name : A1 Mirror rate : 1 Maximum packet length : 0 State : up ingress monitored interfaces : ae1.0 Output interface : et-0/0/71.0