- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
This example describes how to enable IPv6 source guard and neighbor discovery inspection on a specified VLAN to protect an EX Series switch against IPv6 address spoofing attacks. IPv6 source guard and neighbor discovery inspection support introduced on EX2200 and EX3300 switches in Junos OS Release 14.1X53-D10.
Requirements
This example uses the following hardware and software components:
One EX2200 or EX3300 switch
Junos OS Release 14.1X53-D10 or later for EX Series switches
A DHCPv6 server to provide IPv6 addresses to network devices on the switch
Before you configure IPv6 source guard and neighbor discovery inspection to prevent IPv6 address spoofing attacks, be sure you have:
Connected the DHCPv6 server to the switch.
Configured the VLAN to which you are adding DHCPv6 security features. See Configuring VLANs for EX Series Switches.
Overview and Topology
Ethernet LAN switches are vulnerable to attacks on security that involve spoofing (forging) of source MAC addresses or source IPv6 addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. For more information on IPv6 address spoofing attacks, see IPv6 Neighbor Discovery Inspection.
IPv6 source guard and neighbor discovery inspection mitigate the risk of IPv6 spoofing attacks by using the DHCPv6 snooping table. Also known as the binding table, the DHCPv6 snooping table contains the valid bindings of IPv6 addresses to MAC addresses. When a packet is sent from a host attached to an untrusted access interface on the switch, IPv6 source guard verifies the source IPv6 address and MAC address of the packet against the DHCPv6 snooping table. If there is no match in the table, the switch does not forward the packet—that is, the packet is discarded. Neighbor discovery inspection verifies neighbor discovery messages sent between IPv6 nodes on the same network link against the DHCPv6 snooping table, and also discards the packet if no match is found.
This example shows how to configure these important port security features on a switch
that is connected to a DHCPv6 server. The setup for this example includes the VLAN sales on the switch. Figure 1 illustrates the topology for this example.
The trunk interface connecting to the DHCPv6 server interface is a trusted port by default.
Topology
The components of the topology for this example are shown in Table 1.
| Properties | Settings |
|---|---|
Switch hardware | One EX2200 or EX3300 switch |
VLAN name and ID | sales, tag |
VLAN subnets | 192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31 is the subnet's broadcast address |
Interfaces in | ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8 |
Interface connecting to DHCPv6 server | ge-0/0/8 |
In this example, the switch has already been configured as follows:
All access ports are untrusted, which is the default setting.
The trunk port (ge-0/0/8) is trusted, which is the default setting.
The VLAN (sales) has been configured to include the specified interfaces.
Configuration
Procedure
CLI Quick Configuration
To quickly configure IPv6 source guard and neighbor discovery inspection, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options secure-access-port vlan sales examine-dhcpv6 set ethernet-switching-options secure-access-port vlan sales ipv6-source-guard set ethernet-switching-options secure-access-port vlan sales neighbor-discovery-inspection
Step-by-Step Procedure
Configure IPv6 source guard and neighbor discovery inspection (and thereby, also automatically configure DHCPv6 snooping) on the VLAN:
Enable DHCPv6 snooping on the VLAN:
content_copy zoom_out_map[edit ethernet-switching-options secure-access-port vlan sales] user@switch# set examine-dhcpv6
Configure IPv6 source guard on the VLAN:
content_copy zoom_out_map[edit ethernet-switching-options secure-access-port vlan sales] user@switch# set ipv6-source-guard
Configure neighbor discovery inspection on the VLAN:
content_copy zoom_out_map[edit ethernet-switching-options secure-access-port vlan sales] user@switch# set neighbor-discovery-inspection
Results
Check the results of the configuration:
user@switch> show ethernet-switching-options secure-access-port
vlan sales {
examine-dhcpv6;
ipv6-source-guard;
neighbor-discovery-inspection;
}
}
Verification
Confirm that the configuration is working properly.
- Verifying That DHCPv6 Snooping Is Working Correctly on the Switch
- Verifying That Neighbor Discovery Inspection Is Working Correctly on the Switch
Verifying That DHCPv6 Snooping Is Working Correctly on the Switch
Purpose
Verify that DHCPv6 snooping is working on the switch.
Action
Send DHCPv6 requests from network devices (in this example, these are DHCPv6 clients) connected to the switch.
Display the DHCPv6 snooping information when the port on which the DHCPv6 server connects to the switch is trusted. The following is the output when requests are sent from the MAC addresses and the server has provided the IPv6 addresses and leases:
user@switch> show dhcpv6 snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface 00:10:94:00:00:01 2001:db8::10:0:3 3599992 dynamic sales ge-0/0/1.0 00:10:94:00:00:01 fe80::210:94ff:fe00:1 3599992 dynamic sales ge-0/0/1.0 00:10:94:00:00:02 2001:db8::10:0:5 3599992 dynamic sales ge-0/0/2.0 00:10:94:00:00:02 fe80::210:94ff:fe00:2 3599992 dynamic sales ge-0/0/2.0 00:10:94:00:00:03 2001:db8::10:0:7 3599992 dynamic sales ge-0/0/3.0 00:10:94:00:00:03 fe80::210:94ff:fe00:3 3599992 dynamic sales ge-0/0/3.0
Meaning
The output shows the assigned IP address, the MAC address, the VLAN name, and
the time, in seconds, leased to the IP address. Because IPv6 hosts usually have more than
one IP address assigned to each of their IPv6-enabled network interfaces, there are two entries
added for each client: one with the link-local IP address, which is used by the client for
DHCP transactions, and another with the IP address assigned by the server. The link-local
address always has the prefix fe80::/10.
Verifying That Neighbor Discovery Inspection Is Working Correctly on the Switch
Purpose
Verify that neighbor discovery inspection is working on the switch.
Action
Send neighbor discovery packets from network devices connected to the switch.
Display the neighbor discovery information:
user@switch> show neighbor-discovery-inspection statistics ND inspection statistics: Interface Packets received ND inspection pass ND inspection failed ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0
Meaning
The sample output shows the number of neighbor discovery packets received and inspected per interface, and lists the number of packets passed and the number that failed the inspection on each interface. The switch compares the neighbor discovery requests and replies against the entries in the DHCPv6 snooping database. If a MAC address or IPv6 address in the neighbor discovery packet does not match a valid entry in the database, the packet is dropped.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
