- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Example: Prioritizing Snooped and Inspected Packet
On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping and dynamic ARP inspection (DAI) on the same ports through which those critical packets are entering and leaving. You can combine the advantages of both these features by using CoS forwarding classes and queues to prioritize snooped and inspected packets. This type of configuration places the snooped and inspected packets in the desired egress queue, ensuring that the security procedure does not interfere with the transmittal of this high-priority traffic. This is especially important for traffic that is sensitive to jitter and delay, such as voice traffic.
This example shows how to configure the switch to prioritize snooped and inspected packets in heavy network traffic.
Requirements
This example uses the following hardware and software components:
One EX Series switch
Junos OS Release 11.2 or later for EX Series switches
A DHCP server to provide IP addresses to network devices on the switch
Before you specify CoS forwarding classes for snooped and inspected packets, be sure you have:
Connected the DHCP server to the switch.
Configured the VLAN VLAN200 on the switch. See Configuring VLANs for EX Series Switches.
Configured two interfaces, ge-0/0/1 and ge-0/0/8, to belong to VLAN200.
Overview and Topology
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure DHCP snooping to validate DHCP server messages and DAI to protect against MAC spoofing. If you have to deal with periods of heavy network congestion and you want to ensure that sensitive traffic is not disrupted, you can combine the port security features with CoS forwarding classes to prioritize the handling of the snooped and inspected security packets.
In the default switch configuration:
Secure port access is activated on the switch.
DHCP snooping and DAI are disabled on all VLANs.
All access ports are untrusted and all trunk ports are trusted for DHCP snooping.
This example shows how to combine the DHCP snooping and DAI security features with prioritized forwarding of snooped and inspected packets.
The setup for this example includes the VLAN VLAN200 on the switch. Figure 1 illustrates the topology for this example.
Topology
The components of the topology for this example are shown in Table 1.
| Properties | Settings |
|---|---|
Switch hardware | EX Series switch |
VLAN name | VLAN200 |
Interfaces in VLAN200 | ge-0/0/1,ge-0/0/2,ge-0/0/3,ge-0/0/8 |
Interface for DHCP server | ge-0/0/8 |
In the configuration tasks for this example, you create a user-defined forwarding class c1, you enable DHCP snooping and DAI on VLAN200, and you assign the snooped and inspected packets to forwarding class c1 and queue 6. Queues 6 and 7 are reserved for high priority, control packets. The packets that are subjected to DHCP snooping and DAI are control (not data) packets; therefore, it is appropriate to place these snooped and inspected high-priority control packets in queue 6. (Queue 7 is higher priority than queue 6 and can also be used for this purpose.)
Configuration
To configure DHCP snooping and DAI on VLAN200, and to prioritize the snooped and inspected packets:
Procedure
CLI Quick Configuration
To quickly configure DHCP snooping and DAI with prioritized forwarding of snooped and inspected packets, copy the following commands and paste them into the switch terminal window:
[edit]
set class-of-service forwarding-classes class c1 queue 6
set ethernet-switching-options security-access-port vlan VLAN200 examine-dhcp forwarding-class c1
set ethernet-switching-options security-access-port vlan VLAN200 arp-inspection forwarding-class c1Step-by-Step Procedure
Configure DHCP and DAI with prioritized forwarding of snooped and inspected packets:
Create a user-defined forwarding class to be used for prioritizing the snooped and inspected packets.
content_copy zoom_out_map[edit class-of-service] user@switch# set forwarding-classes class c1 queue 6
Enable DHCP snooping on the VLAN and apply forwarding class c1 to the snooped packets:
content_copy zoom_out_map[edit ethernet-switching-options secure-access-port] user@switch# set vlan VLAN200 examine-dhcp forwarding-class c1
Enable DAI on the VLAN and apply forwarding class c1 to the inspected packets:
content_copy zoom_out_map[edit ethernet-switching-options secure-access-port] user@switch# set vlan VLAN200 arp-inspection forwarding-class c1
Results
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
vlan VLAN200 {
arp-inspection forwarding-class c1;
examine-dhcp forwarding-class c1;
}
[edit class-of-service]
user@switch# show
}
forwarding-classes {
class c1 queue-num 6;
}
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That Prioritized Forwarding Is Working Correctly on the Snooped Packets
- Verifying That Prioritized Forwarding Is Working Correctly on the DAI Inspected Packets
Verifying That Prioritized Forwarding Is Working Correctly on the Snooped Packets
Purpose
Verify that prioritized forwarding is working on the DHCP snooped packets.
Action
Send some DHCP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue:
user@switch> show interfaces ge 0/0/1 extensive
Egress queues: 8 supported, 5 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 0 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
6 c1 0 3209 0
7 network-cont 0 126371 0
Meaning
The command output shows that packets have been transmitted on forwarding class c1 queue 6.
Continue testing by changing the setting of examine-dhcp forwarding-class to
use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working
correctly by seeing the difference in the number of transmitted packets reported for forwarding
class c1 queue 6.
Verifying That Prioritized Forwarding Is Working Correctly on the DAI Inspected Packets
Purpose
Verify that prioritized forwarding is working on the DAI inspected packets.
Action
Send some ARP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue:
user@switch> show interfaces ge-0/0/1 extensive
Egress queues: 8 supported, 5 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 0 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
6 c1 0 3209 0
7 network-cont 0 126371 0
Meaning
The command output shows that packets have been transmitted on forwarding class c1 queue 6.
Continue testing by changing the setting of arp-inspection forwarding-class to use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working
correctly by seeing the difference in the number of transmitted packets reported for forwarding
class c1 queue 6.
