Table 45: Port Security Settings on VLANs (continued)
Your ActionFunctionField
Select to enable DHCP snooping on a specified VLAN or
all VLANs.
TIP: For private VLANs (P-VLANs), enable DHCP snooping
on the primary VLAN. If you enable DHCP snooping only
on a community VLAN, DHCP messages coming from
P-VLAN trunk ports are not snooped.
Allows the switch to monitor and
control DHCP messages received from
untrusted devices connected to the
switch. Builds and maintains a
database of valid IP addresses/MAC
address bindings. (By default, access
ports are untrusted and trunk ports are
trusted.)
Enable DHCP Snooping
on VLAN
NOTE: On EX4300
switches, DHCP snooping
is enabled implicitly for
all VLANs if you configure
dhcp-security on one or
more VLANs.
Select to enable ARP inspection on a specified VLAN or
all VLANs. (Configure any port on which you do not want
ARP inspection to occur as a trusted DHCP server port.)
Uses information in the DHCP snooping
database to validate ARP packets on
the LAN and protect against ARP
cache poisoning.
Enable ARP Inspection
on VLAN
Enter a number. The default is unlimited.Number of MAC movements allowed
on the given VLAN.
MAC movement
Select one of the following options:
•
log—Generate a system log entry, an SNMP trap, or an
alarm.
•
drop—Drop the packets and generate a system log entry,
an SNMP trap, or an alarm (default).
•
shutdown—Shut down the VLAN and generate an alarm.
You can mitigate the effect of this option by configuring
autorecovery from the disabled state and specifying a
disabletimeout value. See Configuring Autorecovery From
the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) .
•
none—Take no action.
EX4300 switches have an additional option:
•
drop-and-log—Drop the packet and generate an alarm,
an SNMP trap, or a system log entry.
Specifies the action to be taken if the
MAC movement limit is exceeded.
MAC movement action
DHCP Groups
Enter a name.Specifies the DHCP name of the
group.
Group Name
NOTE: This option is supported only
on EX4300 switches.
To enable this option, select the check box.Specifies trusting DHCP packets on
the selected interface. By default,
trunk ports are dhcp-trusted .
Trusted
NOTE: This option is supported only
on EX4300 switches.
To enable this option, select the check box.Enable or disable the DHCP relay
agent information option (option 82)
in DHCP packets destined for a
DHCP server.
No Option-82
NOTE: This option is supported only
on EX4300 switches.
81Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Security and Management Configuration
To Next Page
Loading...
