- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Understanding and Using Trusted DHCP Servers
Understanding Trusted and Untrusted Ports and DHCP Servers
DHCP servers provide IP addresses and other configuration information to the network’s DHCP clients. Using trusted ports for the DHCP server protects against rogue DHCP servers sending leases.
Untrusted ports drop traffic from DHCP servers to prevent unauthorized servers from providing any configuration information to clients.
By default, all trunk ports are trusted for DHCP and all access ports are untrusted.
You can configure an override of the default behavior to set a trunk port as untrusted, which blocks all ingress DHCP server messages from that interface. This is useful for preventing a rogue DHCP server attack, in which an attacker has introduced an unauthorized server into the network. The information provided to DHCP clients by this server has the potential to disrupt their network access. The unauthorized server might also assign itself as the default gateway device for the network. An attacker can then sniff the network traffic and perpetrate a man-in-the-middle attack—that is, it misdirects traffic intended for a legitimate network device to a device of its choice.
You can also configure an access port as trusted. If you attach a DHCP server to an access port, you must configure the port as trusted. Before you do so, ensure that the server is physically secure—that is, that access to the server is monitored and controlled.
Enabling a Trusted DHCP Server (ELS)
This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style.
You can configure any interface on a switch that connects to a DHCP server as a trusted interface (port). Configuring a DHCP server on a trusted interface protects against rogue DHCP servers sending leases.
By default, all access interfaces are untrusted, and all trunk interfaces are trusted. However, you can override the default setting for access interfaces by configuring a group of access interfaces within a VLAN, specifying an interface to belong to that group, and then configuring the group as trusted.
Before you can configure a trusted DHCP server, you must configure a VLAN. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).
To configure an untrusted access interface as a trusted interface for a DHCP server by using the CLI :
Enabling a Trusted DHCP Server (non-ELS)
You can protect against rogue DHCP servers sending rogue leases on your network by using trusted DHCP servers and ports. By default, for DHCP, all trunk ports are trusted, and all access ports are untrusted. And you can only set up DHCP server on an interface; that is, using a VLAN is not supported.
Trusted ports allow DHCP servers to provide IP addresses and other information to requesting devices. Untrusted ports drop traffic from DHCP servers to prevent unauthorized servers from providing any configuration information to clients.
To configure a port to host a DHCP server, enter the following command from the Junos CLI:
[edit ethernet-switching-options secure-access port] user@switch# set interface ge-0/0/8 dhcp-trusted
where, the interface, ge-0/0/8 is any trusted and physically secure interface that is valid for your network.
See Also
Enabling a Trusted DHCP Server (MX Series Routers)
You can configure any interface on a switching device that connects to a DHCP server as a trusted interface (port). Configuring a DHCP server on a trusted interface protects against rogue DHCP servers sending leases.
By default, all access interfaces are untrusted, and all trunk interfaces are trusted. However, you can override the default setting for access interfaces by configuring a group of access interfaces within a bridge domain, specifying an interface to belong to that group, and then configuring the group as trusted.
Before you can configure a trusted DHCP server, you must configure a bridge domain.
To configure an untrusted access interface as a trusted interface for a DHCP server by using the CLI :
Verifying That a Trusted DHCP Server Is Working Correctly
Purpose
Verify that a DHCP trusted server is working on the switch. See what happens when the DHCP server is trusted and then untrusted.
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC Address IP Address Lease Type VLAN Interface
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 192.0.2.17 600 dynamic employee—vlan ge-0/0/1.0
00:05:85:3A:82:79 192.0.2.18 653 dynamic employee—vlan ge-0/0/1.0
00:05:85:3A:82:80 192.0.2.19 720 dynamic employee—vlan ge-0/0/2.0
00:05:85:3A:82:81 192.0.2.20 932 dynamic employee—vlan ge-0/0/2.0
00:05:85:3A:82:83 192.0.2.21 1230 dynamic employee—vlan ge-0/0/2.0
00:05:85:27:32:88 192.0.2.22 3200 dynamic employee—vlan ge-0/0/2.0
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.
If the DHCP server had been configured as untrusted, no entries would be added to the
DHCP snooping database and nothing would be shown in the output of the show dhcp snooping
binding command.
See Also
Configuring a Trunk Interface as Untrusted for DHCP Security (CLI Procedure)
Before you can configure a group of interfaces, you must configure a VLAN. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).
Untrusted trunk interfaces support the following DHCP security features when they are enabled on the VLAN:
DHCP and DHCPv6 snooping
Dynamic ARP inspection
IPv6 neighbor discovery inspection
To configure a trunk interface as untrusted, you must configure a group of interfaces within a VLAN, add the trunk interface to the group, and then configure the group as untrusted. A group must have at least one interface.
To configure a trunk interface as untrusted for DHCP security:
