Understanding Port Security Features on a Junos Fusion Enterprise
Port security features help protect the access ports on your device against attacks such as address spoofing (forging) and Layer 2 denial of service. The switching device monitors DHCP messages sent from untrusted hosts and extracts their IP addresses and lease information. This information is used to build and maintain the DHCP snooping database. Only hosts that can be verified using this database are allowed access to the network.
The following port security features are supported in a Junos Fusion Enterprise:
DHCP snooping
DHCPv6 snooping
Dynamic ARP inspection (DAI)
IP source guard
IPv6 source guard
IPv6 neighbor discovery (ND) inspection
IPv6 router advertisement (RA) guard
Configuration for DHCP snooping and other port security features in a Junos Fusion Enterprise is identical for a standalone EX9200 switch. The range of port security configuration options are beyond the scope of this document. For additional information, see Configuring Port Security Features and the Port Security User Guide for EX9200 Switches.
In a Junos Fusion Enterprise with dual aggregation devices, there are special considerations that impact the DHCP snooping database. The following requirements should be understood when configuring DHCP port security features for a Junos Fusion Enterprise:
The DHCP snooping database is synchronized across aggregation devices. Synchronization is automatic for all dual-homed clients; there is no manual configuration required to sync the DHCP snooping database.
Note:DHCP relay and DHCP server bindings are not synchronized.
DAI and ND inspection statistics are synchronized on both aggregation devices.
DHCP port security configuration must match on both aggregation devices, so DHCP port security features should be configured using configuration groups that are applied to both aggregation devices using commit synchronization. See Understanding Configuration Synchronization in a Junos Fusion and Enabling Configuration Synchronization Between Aggregation Devices in a Junos Fusion.
Executing the
clear dhcp-security binding
command on one aggregation device also clears the bindings on the other aggregation device.DHCP port security features are not supported for single-homed clients in a dual-aggregation device topology, since the DHCP snooping database is synchronized only for dual-homed clients.