Action
Send some ARP requests from network devices connected to the switch.
Display the DAI information:
user@switch1>
show arp inspection statistics
ARP inspection statistics:
Interface Packets received ARP inspection pass ARP inspection failed
---------- –-------------–- ------------------- ---------------------
ge-0/0/1.0 7 5 2
ge-0/0/2.0 10 10 0
ge-0/0/3.0 18 15 3
Meaning
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the inspection
on each interface. The switch compares the ARP requests and replies against the entries
in the DHCP snooping database. If a MAC address or IP address in the ARP packet does
not match a valid entry in the database, the packet is dropped.
Verifying That MAC Limiting Is Working Correctly on Switch 1
Purpose
Verify that MAC limiting is working on Switch 1.
Action
Display the MAC addresses that are learned when DHCP requests are sent from hosts
on
ge-0/0/1
:
user@switch1>
show ethernet-switching table
Ethernet-switching table: 6 entries, 5 learned
VLAN MAC address Type Age Interfaces
employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/1.0
employee-vlan * Flood - ge-0/0/1.0
Meaning
The sample output shows that five MAC addresses have been learned for interface
ge-0/0/1
, which corresponds to the MAC limit of
5
set in the configuration. The last line
of the output shows that a sixth MAC address request was dropped, as indicated by the
asterisk (*) in the
MAC address
column.
Related
Documentation
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 2849
•
•
Configuring Port Security (CLI Procedure) on page 2906
•
Configuring Port Security (J-Web Procedure) on page 2907
Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate
Address-Spoofing Attacks on Untrusted Access Interfaces
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source
IP addresses or source MAC addresses. These spoofed packets are sent from hosts
Copyright © 2010, Juniper Networks, Inc.
2880
Complete Software Guide for Junos
®
OS for EX Series Ethernet Switches, Release 10.3
Summary of Contents for JUNOS OS 10.3 - SOFTWARE
Page 325: ...CHAPTER 17 Operational Mode Commands for System Setup 229 Copyright 2010 Juniper Networks Inc ...
Page 1323: ...CHAPTER 56 Operational Mode Commands for Interfaces 1227 Copyright 2010 Juniper Networks Inc ...
Page 2841: ...CHAPTER 86 Operational Commands for 802 1X 2745 Copyright 2010 Juniper Networks Inc ...
Page 3367: ...CHAPTER 113 Operational Mode Commands for CoS 3271 Copyright 2010 Juniper Networks Inc ...
Page 3435: ...CHAPTER 120 Operational Mode Commands for PoE 3339 Copyright 2010 Juniper Networks Inc ...
Page 3529: ...CHAPTER 126 Operational Mode Commands for MPLS 3433 Copyright 2010 Juniper Networks Inc ...