To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAIĬonfigure the VLAN employee-vlan with VLAN ID 20: [edit set employee-vlan vlan-id 20Ĭonfigure an interface on Switch 1 as a trunk interface: [edit set ge-0/0/11 unit 0 family ethernet-switching port-mode trunkĪssociate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11: [edit set ge-0/0/1 unit 0 family ethernet-switching vlan members set ge-0/0/2 unit 0 family ethernet-switching vlan members set ge-0/0/3 unit 0 family ethernet-switching vlan members set ge-0/0/11 unit 0 family ethernet-switching vlan members 20Įnable DHCP snooping on the VLAN: [edit ethernet-switching-options set vlan employee-vlan examine-dhcpĮnable DAI on the VLAN: [edit ethernet-switching-options set vlan employee-vlan arp-inspectionĬonfigure a MAC limit of 5 on ge-0/0/1 and use the default action, drop (packets with new addresses are dropped if the limit is exceeded): [edit ethernet-switching-options set interface ge-0/0/1 mac-limit 5 dropĬlear the existing MAC address table entries from interface ge-0/0/1: clear ethernet-switching table interface ge-0/0/1 Trusted, so DHCP messages coming from the DHCP server to Switch 2 and then on to Switch 1 As noted above, trunk interfaces are automatically Not need to configure this interface to be trusted. You also enable DAI and a MAC limit of 5 on Switch 1.īecause the interface that connects Switch 2 to Switch 1 is a trunk interface, you do In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In the configuration tasks for this example, you configure a VLAN on both switches. The switch does not drop any packets, which is the default setting.ĭHCP snooping and DAI are disabled on all VLANs.Īll access interfaces are untrusted and trunk interfaces are trusted these are Secure port access is activated on the switch. Switch 1 is initially configured with the default port security setup. Switch 1 with a DHCP Server Connected to Switch 2 Properties Table 1: Components of Port Security Setup on The setup for this example includes the VLAN employee-vlan on both switches. Responses to the requests are transmittedĪlong the reverse path of the one followed by the requests. Then to the DHCP server connected to Switch 2. Those requests are transmitted from Switch 1 to Switch 2 and That are connected to Switch 1 send requests for IP addresses (these network devicesĪre DHCP clients). Switch 2 is connected to a DHCP server (see Figure 1.) Network devices (hosts) Is connected to another switch (Switch 2), which is not configured with port security features. This example shows how to configure these port security features on Switch 1. MAC limiting to constrain the number of MAC addresses the switch adds to its MAC To protect the devices from such attacks, you can configure:ĭHCP snooping to validate DHCP server messages Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |