How do I enable port security in Juniper Switches?
Ethernet LANs need to be protected because they are susceptible to address spoofing and Layer 2 DoS attacks. Fortunately, the port security feature allows you to protect the access ports on your device against such attacks.
Juno OS is robust because of the separation of control forwarding and services planes as each function runs in protected memory. On the other hand, the control-plane CPU is safeguarded by rate-limiting, routing policy, and firewall filters. This helps ensure server uptime even when there is a severe attack.
Is It Easy to Add Port Security Features in Juniper Devices?
Yes. The specialized Juniper operating system Juno OS comes with several features for port security on your device. You can categorize your ports as trusted and untrusted and then can apply appropriate policies to each category to ensure port protection against various attacks.
All the basic port security features are enabled by default in the device’s configuration. You can use a single Juno OS CLI command to control access port security features such as dynamic address resolution protocol (ARP) inspection, DHCP snooping, and MAC limiting. In short, you can configure additional port security features with minimal configuration steps.
Based on the feature you want to enable, you can configure it either on VLANs or bridge domain interfaces.
What hardware and software security features do Juniper Switches offer?
Some of the hardware and software security features that come with Juniper Networks EX Series Ethernet Switches are:
- Console port
- Out-of-band management
- Software images
- User authentication, authorization, and Accounting
What port security features do Juniper Switches have?
Some of the port security features available with Juniper Networks EX Series Ethernet Switches are:
- DHCP Snooping
- Trusted DHCP Server
- DHCPv6 Snooping and other options
- Dynamic ARP Inspection (DAI)
- IPv6 Neighbor Discovery Inspection
- IP & IPv6 Source Guard
- MAC limiting & MAC move limiting
- Persistent MAC Learning
- Unrestricted & restricted proxy ARP
What kind of protection does Juniper switch port security provide?
Port security features can protect the Juniper Switches against the following attacks:
- Ethernet Switching Table Overflow Attacks – An attacker sends so many requests from new MAC addresses that the table can’t accommodate or learn all addresses.
- Rogue DHCP Server Attacks – An attacker sets up a rogue DHCP server to imitate a legitimate DHCP server on the LAN and issues leases to the network’s DHCP clients to disrupt network access, leading to DoS.
- ARP Spoofing Attacks – An attacker sends fake ARP messages on the network and associates its own MAC address with the IP address of a network device connected to the switch and then the traffic that is intended for that IP address is sent to the attacker.
- DHCP Snooping Database Alteration Attacks – an attacker introduces a DHCP client on one of the switch’s untrusted access interfaces with a MAC address similar to that of the client and acquires the DHCP lease, which ultimately results in changes into the entries in the DHCP snooping table.
- DHCP Starvation Attacks – An attacker floods the Ethernet LAN with DHCP requests from counterfeit MAC addresses so that the switch cannot keep up with requests from legitimate DHCP clients on the switch.
How do I enable port security in Juniper Switches?
Here is how to configure Layer 2 Port Security Features on Ethernet-Connected End Systems:
To Configure Storm Control
- Create a storm control profile and specify the % of the bandwidth available to BUM traffic
- Apply the storm control profile to ingress Layer 2 interface. When the profile is applied to the interface, the interface stays in the default switch interface.
- Verify storm control activity, you can filter system log messages related to storm control
To Configure Port Security Using MAC Filtering
- Set up a firewall filter for the ingress interface
- Apply this filter to the ingress of an access interface /Layer 2 surface.
- Set up a firewall filter for the egress interface and apply this filter to the egress interface.
- Verify Mac filtering on both ingress and egress interfaces
The above is a brief view of what needs to be done to enable port security. For detailed commands, you can check this link.
For any queries related to the purchase of Juniper switches and Juniper security modules and cards, please connect with us via WhatsApp at +971585811786.
Overview of Juniper Switches
Are you looking to improve user and application experiences while simultaneously enhancing networking economics? The latest Juniper switches provide cloud-grade, high-density Ethernet switching across the data center, campus, and branch.
You can streamline management and gain better insight into the functioning of linked devices by using Juniper switches. These switches can help you save money and decrease risk without sacrificing performance, quality, or innovation.
Services for switching
Competence in networks for simplicity of adoption and installation
Juniper provides an Enterprise Switching QuickStart program to assist clients in getting their solutions up and running. The onsite consultant develops the initial configuration and implementation of a switching environment.
A knowledge transfer session is accessible, which includes an overview of local implementation and setup options, but it is not designed to replace training.
Depth
Advisory, customized implementation, testing, onsite expert, virtual operational, maintenance, remote managed, training, and certification services are all available through Network Life-Cycle Services for switching support.
Security
A Security Intelligence Readiness Evaluation is one of the advisory security services that gives information to help combat cyber-attacks. It examines the site’s design and architecture for possible flaws and compiles a report with findings and suggestions.
With cloud-grade, high-density Ethernet switching throughout your data center, campus, and branch, Juniper switches optimize networking economics. The EX4300, EX2300, and EX4600 series are listed below.
-
Juniper EX2300 Series Ethernet Switches, $495.00
Juniper EX2300 Ethernet switches are perfect in small network environments where power and space are limited. That’s because these switches offer a compact, high-density, and cost-effective solution.
With the EX2300-C Ethernet Switch, you get a compact power-efficient solution for low-density branch offices and enterprise workgroups.
-
Juniper EX3400 Series Ethernet Switches, $1,050.00
For today’s most demanding convergent data, phone, and video enterprise access networks, EX3400 Ethernet Switches provide a cost-effective solution.
The Juniper EX3400 switches enable IEEE 802.3af Power over Ethernet (PoE) or 802.3at PoE+ for powering networked phones, video cameras, WLAN access points, and other IP devices, with variants offering either 24 or 48 10/100/1000BASE-T ports.
For connecting the switches to upstream devices, there are four front-panel dual-mode (GbE/10GbE) small form-factor pluggable transceiver (SFP/SFP+) uplink ports and two 40GbE quads SFP+ (QSFP+) ports.
-
Juniper EX4300 Series Ethernet Switches, $1,600.00
Juniper Networks EX4300 Ethernet switches with Virtual Chassis technology integrate carrier-class dependability with the economies and versatility of stackable platforms to create a high-performance, scalable option for data centers, campuses, and branch offices.
-
Juniper EX4600 Series Ethernet Switches, $4,900.00
The Juniper EX4600 is designed to assist enterprises to expand into higher-density campuses by providing deployment flexibility, high availability with unified in-service software upgrades (unified ISSU), and administrative simplicity through multi-chassis link aggregation capability (MC-LAG).
There are several good-quality and powerful switches out there. However, the price of those switches doesn’t come cheap. So, if you are in the market for good-quality but cost-less switches, you should definitely consider Juniper switches. Contact us via WhatsApp at +971585811786.`