Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX Series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet.
You can use IP source guard in combination with other EX Series switch features to mitigate address-spoofing attacks on untrusted access interfaces. This example shows two configuration scenarios:
Requirements
This example uses the following hardware and software components:
An EX Series switch
Junos OS Release 9.2 or later for EX Series switches
A DHCP server to provide IP addresses to network devices on the switch
A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for the scenarios related in this example, be sure you have:
Connected the DHCP server to the switch.
Connected the RADIUS server to the switch and configured user authentication on the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
Configured VLANs on the switch. In this example, we have two VLANs, which are named
DATA
andGUEST
. TheDATA
VLAN is configured withvlan-id
300
. TheGUEST
VLAN (which functions as the guest VLAN) is configured withvlan-id 100
. See Example: Setting Up Bridging with Multiple VLANs for EX Series Switches for detailed information about configuring VLANs.
Overview and Topology
IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded.
When you configure IP source guard, you enable it on one or more VLANs. IP source guard
applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX
Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source
guard does not check packets that have been sent to the switch by devices connected to either
trunk interfaces or trusted access interfaces—that is, interfaces configured with dhcp-trusted
. A DHCP server can be connected to a dhcp-trusted
interface
to provide dynamic IP addresses.
IP source guard obtains information about IP-addresses, MAC-addresses, or VLAN bindings from the DHCP snooping database, which enables the switch to validate incoming IP packets against the entries in that database.
Topology
The topology for this example includes an EX Series switch, which is connected to both a DHCP server and to a RADIUS server.
The 802.1X user authentication applied in this example is for single-supplicant mode.
You can use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines:
If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.
If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.
In the first configuration example, two clients (network devices) are connected to an access switch. You configure IP source guard and 802.1X user authentication, in combination with two access port security features: DHCP snooping and dynamic ARP inspection (DAI). This setup is designed to protect the switch from IP attacks such as ping of death attacks, DHCP starvation, and ARP spoofing.
In the second configuration example, the switch is configured for 802.1X user authentication. If the client fails authentication, the switch redirects the client to a guest VLAN that allows this client to access a set of restricted network features. You configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.
You can set the ip-source-guard
flag in the traceoptions
statement for debugging purposes.
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
Procedure
CLI Quick Configuration
To quickly configure IP source guard with 802.1X authentication and with other access port security features, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set ethernet-switching-options secure-access-port vlan DATA examine-dhcp set ethernet-switching-options secure-access-port vlan DATA arp-inspection set ethernet-switching-options secure-access-port vlan DATA ip-source-guard set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members DATA set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members DATA set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members DATA set protocols lldp-med interface ge-0/0/0.0 set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single set protocols lldp-med interface ge-0/0/1.0 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single
Step-by-Step Procedure
To configure IP source guard with 802.1X authentication and various port security features:
Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the
DATA
VLAN:[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan members DATA
Associate two other access interfaces (untrusted) with the DATA VLAN:
[edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members DATA user@switch# set ge-0/0/1 unit 0 family ethernet-switching vlan members DATA
Configure 802.1X user authentication and LLDP-MED on the two interfaces that you associated with the DATA VLAN:
[edit protocols] user@switch# set lldp-med interface ge-0/0/0.0 user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single user@switch# set lldp-med interface ge-0/0/1.0 user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single
Configure three access port security features—DHCP snooping, dynamic ARP inspection (DAI), and IP source guard—on the
DATA
VLAN:[edit ethernet-switching-options] user@switch# set secure-access-port vlan DATA examine-dhcp user@switch# set secure-access-port vlan DATA arp-inspection user@switch# set secure-access-port vlan DATA ip-source-guard
Results
Check the results of the configuration:
[edit ethernet-switching-options] secure-access-port { interface ge-0/0/24.0 { dhcp-trusted; } vlan DATA { arp-inspection; examine-dhcp; ip-source-guard; } }
[edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members DATA; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members DATA; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members DATA; } } } }
[edit protocols] lldp-med { interface ge-0/0/0.0; interface ge-0/0/1.0; } dot1x { authenticator { authentication-profile-name profile52; } interface { ge-0/0/0.0 { supplicant single; } ge-0/0/1.0 { supplicant single; } } }
Configuring IP Source Guard on a Guest VLAN
Procedure
CLI Quick Configuration
To quickly configure IP source guard on a guest VLAN, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members GUEST set ethernet-switching-options secure-access-port vlan GUEST examine-dhcp set ethernet-switching-options secure-access-port vlan GUEST ip-source-guard set ethernet-switching-options secure-access-port interface ge-0/0/0 static-ip 10.1.1.1 mac 00:11:11:11:11:11 vlan GUEST set ethernet-switching-options secure-access-port interface ge-0/0/1 static-ip 10.1.1.2 mac 00:22:22:22:22:22 vlan GUEST set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/0 supplicant single set protocols dot1x authenticator interface ge-0/0/0 guest-vlan GUEST set protocols dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 set protocols dot1x authenticator interface ge-0/0/1 supplicant single set protocols dot1x authenticator interface ge-0/0/1 guest-vlan GUEST set protocols dot1x authenticator interface ge-0/0/1 supplicant-timeout 2
Step-by-Step Procedure
To configure IP source guard on a guest VLAN:
Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the
GUEST
VLAN:[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members GUEST
Configure two interfaces for the access port mode:
[edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/1 unit 0 family ethernet-switching port-mode access
Configure DHCP snooping and IP source guard on the
GUEST
VLAN:[edit ethernet-switching-options] user@switch# set secure-access-port vlan GUEST examine-dhcp user@switch# set secure-access-port vlan GUEST ip-source-guard
Configure a static IP address on each of two (untrusted) interfaces on the
GUEST
VLAN (optional):[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/0 static-ip 10.1.1.1 mac 00:11:11:11:11:11 vlan GUEST
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/1 static-ip 10.1.1.2 mac 00:22:22:22:22:22 vlan GUEST
Configure 802.1X user authentication:
[edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/0 supplicant single user@switch# set dot1x authenticator interface ge-0/0/1 supplicant single user@switch# set dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 user@switch# set dot1x authenticator interface ge-0/0/1 supplicant-timeout 2
Results
Check the results of the configuration:
[edit protocols] dot1x { authenticator { authentication-profile-name profile52; } interface { ge-0/0/0.0 { guest-vlan GUEST; supplicant single; supplicant-timeout 2; } ge-0/0/1.0 { guest-vlan GUEST; supplicant single; supplicant-timeout 2; } } } }
[edit vlans] GUEST { vlan-id 100; }
[edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members GUEST; } } } }
[edit ethernet-switching-options] secure-access-port { interface ge-0/0/0.0 { static-ip 10.1.1.1 vlan GUEST mac 00:11:11:11:11:11; } interface ge-0/0/1.0 { static-ip 10.1.1.2 vlan GUEST mac 00:22:22:22:22:22; } interface ge-0/0/24.0 { dhcp-trusted; } vlan GUEST { examine-dhcp; ip-source-guard; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That 802.1X User Authentication Is Working on the Interface
- Verifying the VLAN Association with the Interface
- Verifying That DHCP Snooping Is Working on the VLAN
- Verifying That IP Source Guard Is Working on the VLAN
Verifying That 802.1X User Authentication Is Working on the Interface
Purpose
Verify that the 802.1X configuration is working on the interface.
Action
user@switch> show dot1x interface ge/0/0/0.0 detail ge-0/0/0.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 2 Quiet period: 30 seconds Transmit period: 15 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 2 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: GUEST Number of connected supplicants: 1 Supplicant: md5user01, 00:30:48:90:53:B7 Operational state: Authenticated Backend Authentication state: Idle Authentcation method: Radius Authenticated VLAN: DATA Session Reauth interval: 3600 seconds Reauthentication due in 3581 seconds
Meaning
The Supplicant mode
field displays the configured
administrative mode for each interface. The Guest VLAN member
field displays the VLAN to which a supplicant is connected when the supplicant is authenticated
using a guest VLAN. The Authenticated VLAN
field displays the
VLAN to which the supplicant is connected.
Verifying the VLAN Association with the Interface
Purpose
Verify interface states and VLAN memberships.
Action
user@switch> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/0.0 up DATA 101 untagged unblocked ge-0/0/1.0 up DATA 101 untagged unblocked ge-0/0/24 up DATA 101 untagged unblocked
Meaning
The VLAN members
field shows the associations
between VLANs and interfaces. The State
field shows whether
the interfaces are up or down.
For the guest VLAN configuration, the interface is associated with the guest VLAN if and when the supplicant fails 802.1X user authentication.
Verifying That DHCP Snooping Is Working on the VLAN
Purpose
Verify that DHCP snooping is enabled and working on the VLAN. Send some DHCP requests from network devices (DHCP clients) connected to the switch.
Action
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface 00:30:48:90:53:B7 192.0.2.1 86392 dynamic DATA ge-0/0/24.0
Meaning
When the interface on which the DHCP server connects to the switch has been
set to dhcp-trusted
, the output shows for each MAC address, the assigned IP address
and lease time—that is, the time, in seconds, remaining before the lease expires. Static
IP addresses have no assigned lease time. Statically configured entries never expire.
Verifying That IP Source Guard Is Working on the VLAN
Purpose
Verify that IP source guard is enabled and working on the VLAN.
Action
user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address VLAN ge-0/0/0.0 0 192.0.2.2 00:30:48:90:63:B7 DATA ge-0/0/1.0 0 192.0.2.3 00:30:48:90:73:B7 DATA
Meaning
The IP source guard database table contains the VLANs for which IP source guard
is enabled, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If a switch
interface is associated with multiple VLANs and some of those VLANs have IP source guard enabled
(or configured) while others do not have IP source guard enabled, the VLANs that do not have
IP source guard enabled have a star (*) in the IP Address
and MAC Address
fields.