Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Configuring Layer 2 Port Security Features on Ethernet-Connected End Systems

 

This section shows how to configure the following Layer 2 port security features. For overview information about these features, see Layer 2 Port Security Features on Ethernet-Connected End Systems in Data Center Fabric Blueprint Architecture Components

Configuring Storm Control

In this sample configuration, storm control rate limits BUM traffic on server-facing aggregated Ethernet interfaces. If the amount of BUM traffic exceeds 6% of the available bandwidth on the interface, storm control drops it to prevent broadcast storms.

To enable storm control:

  1. Create a storm control profile and specify the percentage of bandwidth available to BUM traffic.
  2. Apply the storm control profile to an ingress Layer 2 interface. After you apply the profile to an interface, the interface resides in the default switch interface.

Verifying Storm Control

To verify storm control activity, filter system log messages related to storm control:

user@leaf10> show log messages | match storm

Configuring Port Security Using MAC Filtering

To configure MAC filtering, you create firewall filters in which you specify one or more of the supported match conditions. See https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-vxlan-security-monitor.html for a list of match conditions supported on QFX5110 switches and QFX10000 switches. You then apply the firewall filter to a Layer 2 interface.

To configure MAC filtering:

  1. Create a firewall filter for an ingress interface.
  2. Apply the firewall filter to the ingress of an access interface / Layer 2 interface.
  3. Create a firewall filter for an egress interface.
  4. Apply the firewall filter to the egress interface.

Verifying MAC Filtering

  1. Verify MAC filtering on the ingress interface.
    user@leaf10> show firewall filter L2-INGRESS
  2. Verify MAC filtering on the egress interface.
    user@leaf10> show firewall filter L2-EGRESS

Configuring Analyzer-Based Port Mirroring

This section shows how to mirror ingress traffic on an underlay interface to another physical port.

The source and destination ports for mirrored traffic are on the same leaf or same spine.

  1. Configure an analyzer to mirror ingress traffic on interface ae1.0.
  2. Configure the destination interface for the mirrored packets.
  3. Configure the interface that connects to another switch (the uplink interface) to trunk mode and associate it with the appropriate VLAN.

Verifying Port Mirroring

  • To verify port mirroring:

    host> show forwarding-options analyze

Layer 2 Port Security Features — Release History

Table 1 provides a history of all of the features in this section and their support within this reference design.

Table 1: Layer 2 Port Security Release History

Release

Description

19.1R2

  • QFX5120-32C switches running Junos OS Release 19.1R2 and later releases in the same release train support MAC filtering, storm control, and port mirroring and analyzing.

  • QFX10002-60C switches running Junos OS Release 19.1R2 and later releases in the same release train support MAC filtering. These switches do not support storm control, and port mirroring and analyzing.

18.4R2

QFX5120-48Y switches running Junos OS Release 18.4R2 and later releases in the same release train support all features documented in this section.

18.1R3-S3

All devices in the reference design that support Junos OS Release 18.1R3-S3 and later releases in the same release train also support all features documented in this section.

Related Documentation