[Doc]Juniper EX switch port security: limit one mac learned per port and shutdown action

This is tested on EX2200-C running 11.4R5.

'mac-limit' allows administrators to limit the number of mac addresses dynamically learned on a physical interface and the possibility to drop/log/shutdown/ignore as action if the limit is reached.

Quote from Juniper documentation: http://www.juniper.net/techpubs/en_US/j ... urity.html

Quote:

Release Information
Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description
Specify the number of MAC addresses to dynamically add to the MAC address cache for this access interface (port) and the action to be taken by the switch if the MAC address learning limit is exceeded on the interface (port).

When you reset the number of MAC addresses, the MAC address table is not automatically cleared. Therefore, if you reduce the number of addresses from the default (unlimited) or a previously set limit, you could already have more entries in the table than the new limit allows. Previous entries remain in the table after you reduce the number of addresses, so you should clear the forwarding table for the specified interface or MAC address. Use the command clear ethernet-switching tableto clear the existing MAC addresses from the table.

Default
The default action is drop.

Options
action action—(Optional) Action to take when the MAC address limit is exceeded:

drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry. This is the default.
log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.
none—No action.
shutdown—Disable the interface and generate an alarm. If you have configured the switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.
limit—Maximum number of MAC addresses.

Required Privilege Level
system—To view this statement in the configuration.
system–control—To add this statement to the configuration.

Scenario: Switch port ge-0/0/11 is connected to FreeBSD xl0 interface. From FreeBSD shell I'm gonna be using nemesis tool to inject some arp frames with different source mac address.

Juniper EX configuration and status:

Code:

prometheus# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ae1.0        down   vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ge-0/0/2.0   up     vl-10-dmz           10    tagged   unblocked
ge-0/0/10.0  up     vl-4094             4094  untagged unblocked
ge-0/0/11.0  up     vl-4094             4094  untagged unblocked

Code:

prometheus# top show ethernet-switching-options
secure-access-port {
    interface ge-0/0/11.0 {
        mac-limit 1 action shutdown;
    }
}
mac-notification {
    notification-interval 5;
}
port-error-disable {
    disable-timeout 3600;
}
storm-control {
    interface all;
}

Now, injecting multiple arp frames with two different source macs:

Code:

# while : ; do nemesis arp -H 00:04:75:4c:44:e0 -M ff:ff:ff:ff:ff:ff -S 10.10.10.2 -D 10.10.10.5 -d xl0 ; nemesis arp -H 00:04:75:4c:44:e9 -M ff:ff:ff:ff:ff:ff -S 10.10.10.2 -D 10.10.10.5 -d xl0; done

Now we check the EX switch again:

Code:

prometheus# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ae1.0        down   vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ge-0/0/2.0   up     vl-10-dmz           10    tagged   unblocked
ge-0/0/10.0  up     vl-4094             4094  untagged unblocked
ge-0/0/11.0  down   vl-4094             4094  untagged MAC limit exceeded
                                                       (00:59:54) remaining

Verifying mac limit alerts in the logs

Code:

# run show log messages | match limit
Aug 25 15:38:10  prometheus eswd[973]: ESWD_MAC_LIMIT_BLOCK: MAC limit (1) exceeded at ge-0/0/11.0: shutting down the interface

To clear the Junos EX port-error state (re-enable the port), use the clear command:

Code:

prometheus# run clear ethernet-switching port-error

[edit ethernet-switching-options secure-access-port]
prometheus# run show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ae1.0        down   vl-10-dmz           10    tagged   unblocked
                    vl-4094             4094  tagged   unblocked
ge-0/0/2.0   up     vl-10-dmz           10    tagged   unblocked
ge-0/0/10.0  up     vl-4094             4094  untagged unblocked
ge-0/0/11.0  up     vl-4094             4094  untagged unblocked

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

[Doc]Juniper EX switch port security: limit one mac learned per port and shutdown action

[Doc]Juniper EX switch port security: limit one mac learned per port and shutdown action