Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Port Security (J-Web Procedure)

Note:

This topic applies only to the J-Web Application package.

To configure port security on an EX Series switch using the J-Web interface:

  1. Select Configure > Security > Port Security.

    The VLAN List table lists all the VLAN names, VLAN identifiers, port members, and port security VLAN features.

    The Interface List table lists all the ports and indicates whether security features have been enabled on the ports.

    Note:

    After you make changes to the configuration on this page, you must commit the changes for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes for details about all commit options.

  2. Click one of the following options:
    • Edit—Click this option to modify the security features for the selected port or VLAN.

      Enter information as specified in Table 1 to modify port security settings on VLANs.

      Enter information as specified in Table 2 to modify port security settings on interfaces.

    • Activate/Deactivate—Click this option to enable or disable security on the switch.

      Note:

      This option is not supported on EX4300 switches.

    • Delete—Click this option to delete the security features of the selected port or VLAN.

      Note:

      This option is supported only on EX4300 switches.

Table 1: Port Security Settings on VLANs

Field

Function

Your Action

General tab

Enable DHCP Snooping on VLAN

Note:

On EX4300 switches, DHCP snooping is enabled implicitly for all VLANs if you configure dhcp-security on one or more VLANs.

Allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. Builds and maintains a database of valid IP addresses/MAC address bindings. (By default, access ports are untrusted and trunk ports are trusted.)

Select to enable DHCP snooping on a specified VLAN or all VLANs.

Tip:

For private VLANs (P-VLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from P-VLAN trunk ports are not snooped.

Enable ARP Inspection on VLAN

Uses information in the DHCP snooping database to validate ARP packets on the LAN and protect against ARP cache poisoning.

Select to enable ARP inspection on a specified VLAN or all VLANs. (Configure any port on which you do not want ARP inspection to occur as a trusted DHCP server port.)

MAC movement

Number of MAC movements allowed on the given VLAN.

Enter a number. The default is unlimited.

MAC movement action

Specifies the action to be taken if the MAC movement limit is exceeded.

Select one of the following options:

  • log—Generate a system log entry, an SNMP trap, or an alarm.

  • drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm (default).

  • shutdown—Shut down the VLAN and generate an alarm. You can mitigate the effect of this option by configuring autorecovery from the disabled state and specifying a disable timeout value. See Configuring Autorecovery for Port Security Events.

  • none—Take no action.

EX4300 switches have an additional option:

  • drop-and-log—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.

DHCP Groups

Group Name

Note:

This option is supported only on EX4300 switches.

Specifies the DHCP name of the group.

Enter a name.

Trusted

Note:

This option is supported only on EX4300 switches.

Specifies trusting DHCP packets on the selected interface. By default, trunk ports are dhcp-trusted .

To enable this option, select the check box.

No Option-82

Note:

This option is supported only on EX4300 switches.

Enable or disable the DHCP relay agent information option (option 82) in DHCP packets destined for a DHCP server.

To enable this option, select the check box.

Interfaces

Note:

This option is supported only on EX4300 switches.

Specifies the DHCP interface.

Select the required interface.

Ports

Interface

Note:

This option is supported only on EX4300 switches.

Name of the interface.

Click the Edit button of the selected interface, to configure the MAC limit and the MAC limit action.

MAC Limit

Note:

This option is supported only on EX4300 switches.

Maximum number of MAC addresses learned on the interface.

Enter a number. The default is unlimited.

MAC Limit Action

Note:

This option is supported only on EX4300 switches.

Specifies the action to be taken if the MAC move limit is exceeded.

Action to be taken when MAC limit is reached. The options are:

  • drop —Drop the packet and do not learn. Default is forward.

  • drop-and-log —Drop the packet and generate an alarm, an SNMP trap, or a system log entry.

  • log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

  • none—Forward the packet.

  • shutdown—Disable the interface and generate an alarm, an SNMP trap, or a system log entry.

Table 2: Port Security on Interfaces

Field

Function

Your Action

Trust DHCP

Note:

This option is not supported on EX4300 switches.

Specifies trusting DHCP packets on the selected interface. By default, trunk ports are dhcp-trusted.

Select to enable DHCP trust.

MAC Limit

Specifies the number of MAC addresses that can be learned on a single Layer 2 access port. This option is not valid for trunk ports.

Note:

Trunk ports are supported only on EX4300 switches.

Enter a number.

MAC Limit Action

Specifies the action to be taken if the MAC limit is exceeded. This option is not valid for trunk ports.

Select one of the following:

  • log—Generate a system log entry, an SNMP trap, or an alarm.

  • drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm. (Default)

  • shutdown—Shut down the interface and generate an alarm. You can mitigate the effect of this option by configuring autorecovery from the disabled state and specifying a disable timeout value. See Configuring Autorecovery for Port Security Events

  • none—Take no action.

EX4300 switches have an additional option:

  • drop-and-log—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.

Allowed MAC List

Specifies the MAC addresses that are allowed for the interface.

To add a MAC address:

  1. Click Add.

  2. Enter the MAC address.

  3. Click OK.