Understanding IP Source Guard for Port Security on Switches
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. You can use the IP source guard access port security feature to mitigate the effects of these attacks.
IP Address Spoofing
Hosts on access interfaces can spoof source IP addresses and source MAC addresses by flooding the switch with packets containing invalid addresses. Such attacks combined with other techniques such as TCP SYN flood attacks can cause denial-of-service (DoS) attacks. With source IP address or source MAC address spoofing, the system administrator cannot identify the source of the attack. The attacker can spoof addresses on the same subnet or on a different subnet.
How IP Source Guard Works
IP source guard examines each packet sent from a host attached to an untrusted access interface on the switch. The IP address, MAC address, VLAN and interface associated with the host is checked against entries stored in the DHCP snooping database. If the packet header does not match a valid entry in the DHCP snooping database, the switch does not forward the packet—that is, the packet is discarded.
If your switch uses Junos OS for EX Series with support for the Enhanced Layer 2 Software (ELS) configuration style, DHCP snooping is enabled automatically when you enable IP source guard on a VLAN. See Configuring IP Source Guard (ELS).
If your switch uses Junos OS for EX Series without support the Enhanced Layer 2 Software (ELS) configuration style and you enable IP source guard on a VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to the VLAN. See Configuring IP Source Guard (non-ELS).
IP source guard examines packets sent from untrusted access interfaces on those VLANs. By default, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not examine packets that have been sent to the switch by devices connected to trusted interfaces so that a DHCP server can be connected to that interface to provide dynamic IP addresses.
On an EX9200 switch, you can set a trunk interface as untrusted
so that it supports IP source guard.
IPv6 Source Guard
IPv6 source guard is available on switches that support DHCPv6 snooping. To determine whether your switch supports DHCPv6 snooping, see Feature Explorer.
The DHCP Snooping Table
IP source guard obtains information about IP address to MAC address bindings (IP-MAC binding) from the DHCP snooping table, also known as the DHCP binding table. The DHCP snooping table is populated either through dynamic DHCP snooping or through configuration of specific static IP address to MAC address bindings. For more information about the DHCP snooping table, see Understanding DHCP Snooping (ELS).
To display the DHCP snooping table, issue the operational mode command that appears in the switch CLI.
For DHCP snooping:
(For non-ELS switches)
show ip-source-guard
(ELS switches only)
show dhcp-security binding
For DHCPv6 snooping:
(For non-ELS switches)
show dhcpv6 snooping binding
(ELS switches only)
show dhcp-security ipv6 binding
Typical Uses of Other Junos OS Features with IP Source Guard
You can configure IP source guard with various other port security features including:
VLAN tagging (used for voice VLANs)
GRES (graceful Routing Engine switchover)
Virtual Chassis configurations
Link aggregation groups (LAGs)
802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.
Note:While implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:
If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership. This also applies to IPv6 source guard and DHCPv6 snooping.
If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership. This also applies to IPv6 source guard and DHCPv6 snooping.