Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX Series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet.

You can use IP source guard in combination with other EX Series switch features to mitigate address-spoofing attacks on untrusted access interfaces. This example shows two configuration scenarios:

Requirements

This example uses the following hardware and software components:

  • An EX Series switch

  • Junos OS Release 9.2 or later for EX Series switches

  • A DHCP server to provide IP addresses to network devices on the switch

  • A RADIUS server to provide 802.1X authentication

Before you configure IP source guard for the scenarios related in this example, be sure you have:

Overview and Topology

IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded.

When you configure IP source guard, you enable it on one or more VLANs. IP source guard applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or trusted access interfaces—that is, interfaces configured with dhcp-trusted. A DHCP server can be connected to a dhcp-trusted interface to provide dynamic IP addresses.

IP source guard obtains information about IP-addresses, MAC-addresses, or VLAN bindings from the DHCP snooping database, which enables the switch to validate incoming IP packets against the entries in that database.

Topology

The topology for this example includes an EX Series switch, which is connected to both a DHCP server and to a RADIUS server.

Note:

The 802.1X user authentication applied in this example is for single-supplicant mode.

You can use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines:

  • If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.

  • If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

In the first configuration example, two clients (network devices) are connected to an access switch. You configure IP source guard and 802.1X user authentication, in combination with two access port security features: DHCP snooping and dynamic ARP inspection (DAI). This setup is designed to protect the switch from IP attacks such as ping of death attacks, DHCP starvation, and ARP spoofing.

In the second configuration example, the switch is configured for 802.1X user authentication. If the client fails authentication, the switch redirects the client to a guest VLAN that allows this client to access a set of restricted network features. You configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.

Tip:

You can set the ip-source-guard flag in the traceoptions statement for debugging purposes.

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection

Procedure

CLI Quick Configuration

To quickly configure IP source guard with 802.1X authentication and with other access port security features, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure IP source guard with 802.1X authentication and various port security features:

  1. Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the DATA VLAN:

  2. Associate two other access interfaces (untrusted) with the DATA VLAN:

  3. Configure 802.1X user authentication and LLDP-MED on the two interfaces that you associated with the DATA VLAN:

  4. Configure three access port security features—DHCP snooping, dynamic ARP inspection (DAI), and IP source guard—on the DATA VLAN:

Results

Check the results of the configuration:

Configuring IP Source Guard on a Guest VLAN

Procedure

CLI Quick Configuration

To quickly configure IP source guard on a guest VLAN, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure IP source guard on a guest VLAN:

  1. Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the GUEST VLAN:

  2. Configure two interfaces for the access port mode:

  3. Configure DHCP snooping and IP source guard on the GUEST VLAN:

  4. Configure a static IP address on each of two (untrusted) interfaces on the GUEST VLAN (optional):

  5. Configure 802.1X user authentication:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That 802.1X User Authentication Is Working on the Interface

Purpose

Verify that the 802.1X configuration is working on the interface.

Action

Meaning

The Supplicant mode field displays the configured administrative mode for each interface. The Guest VLAN member field displays the VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. The Authenticated VLAN field displays the VLAN to which the supplicant is connected.

Verifying the VLAN Association with the Interface

Purpose

Verify interface states and VLAN memberships.

Action

Meaning

The VLAN members field shows the associations between VLANs and interfaces. The State field shows whether the interfaces are up or down.

For the guest VLAN configuration, the interface is associated with the guest VLAN if and when the supplicant fails 802.1X user authentication.

Verifying That DHCP Snooping Is Working on the VLAN

Purpose

Verify that DHCP snooping is enabled and working on the VLAN. Send some DHCP requests from network devices (DHCP clients) connected to the switch.

Action

Meaning

When the interface on which the DHCP server connects to the switch has been set to dhcp-trusted, the output shows for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire.

Verifying That IP Source Guard Is Working on the VLAN

Purpose

Verify that IP source guard is enabled and working on the VLAN.

Action

Meaning

The IP source guard database table contains the VLANs for which IP source guard is enabled, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs have IP source guard enabled (or configured) while others do not have IP source guard enabled, the VLANs that do not have IP source guard enabled have a star (*) in the IP Address and MAC Address fields.