Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
This example uses Junos OS with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Protecting Against ARP Spoofing Attacks. For ELS details, see Using the Enhanced Layer 2 Software CLI.
This example describes how to enable IPv6 source guard and neighbor discovery inspection on a specified VLAN to protect the switch against IPv6 address spoofing attacks. When you enable either IPv6 source guard or neighbor discovery inspection, DHCPv6 snooping is automatically enabled on the same VLAN.
Requirements
This example uses the following hardware and software components:
This example also applies to QFX5100, QFX5110, and QFX5200 switches.
One EX Series switch that supports the Enhanced Layer 2 Software configuration style.
Junos OS Release 13.2X51-D20 or later for EX Series switches
A DHCPv6 server to provide IPv6 addresses to network devices on the switch
Before you configure IPv6 source guard and neighbor discovery inspection to prevent IPv6 address spoofing attacks, be sure you have:
Connected the DHCPv6 server to the switch.
Configured the VLAN to which you are adding DHCPv6 security features. See the documentation that describes setting up basic bridging and a VLAN for your switch.
Overview and Topology
Ethernet LAN switches are vulnerable to attacks on security that involve spoofing (forging) of source MAC addresses or source IPv6 addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. For more information on IPv6 address spoofing attacks, see IPv6 Neighbor Discovery Inspection.
By using the DHCPv6 snooping table, also known as the binding table, IPv6 source guard and neighbor discovery inspection mitigate the risk of IPv6 spoofing attacks. The DHCPv6 snooping table contains the IP address, MAC address, VLAN and interface ID for each host associated with the VLAN. When a packet is sent from a host attached to an untrusted access interface on the switch, IPv6 source guard checks it against the entries in the DHCPv6 snooping table. If there is no match in the table, the switch does not forward the packet—that is, the packet is discarded. Neighbor discovery inspection verifies neighbor discovery messages sent between IPv6 nodes on the same network link against the DHCPv6 snooping table, and also discards the packet if no match is found.
This example shows how to configure these important port security features on a switch that is connected to a DHCPv6 server. The setup for this example includes the VLAN sales on the switch. Figure 1 illustrates the topology for this example.
The trunk interface connecting to the DHCPv6 server interface is a trusted port by default.
Topology
The components of the topology for this example are shown in Table 1.
| Properties | Settings |
|---|---|
Switch hardware |
One EX Series switch that supports the Enhanced Layer 2 Software configuration style. |
VLAN name and ID |
sales, tag |
VLAN subnets |
192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31 is the subnet's broadcast address |
Interfaces in |
|
Interface connecting to DHCPv6 server |
|
In this example, the switch has already been configured as follows:
All access ports are untrusted, which is the default setting.
The trunk port (ge-0/0/8) is trusted, which is the default setting.
The VLAN (sales) has been configured to include the specified interfaces.
Configuration
Procedure
CLI Quick Configuration
To quickly configure IPv6 source guard and neighbor discovery inspection (and thereby, also automatically configure DHCPv6 snooping), copy the following commands and paste them into the switch terminal window:
[edit] set vlans sales forwarding-options dhcp-security ipv6-source-guard set vlans sales forwarding-options dhcp-security neighbor-discovery-inspection
Step-by-Step Procedure
Configure IPv6 source guard and neighbor discovery inspection (and thereby, also automatically configure DHCPv6 snooping) on the VLAN:
Configure IPv6 source guard on the VLAN:
[edit vlans sales forwarding-options dhcp-security] user@switch# set ipv6-source-guard
Enable neighbor discovery inspection on the VLAN:
[edit vlans sales forwarding-options dhcp-security] user@switch# set neighbor-discovery-inspection
Results
Check the results of the configuration:
user@switch> show vlans sales forwarding-options
dhcp-security {
neighbor-discovery-inspection;
ipv6-source-guard;
}
}
Verification
Confirm that the configuration is working properly.
- Verifying That DHCPv6 Snooping Is Working Correctly on the Switch
- Verifying That Neighbor Discovery Inspection Is Working Correctly on the Switch
Verifying That DHCPv6 Snooping Is Working Correctly on the Switch
Purpose
Verify that DHCPv6 snooping is working on the switch.
Action
Send DHCPv6 requests from network devices (in this example, these are DHCPv6 clients) connected to the switch.
Display the DHCPv6 snooping information when the port on which the DHCPv6 server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IPv6 addresses and leases:
user@switch> show dhcp-security ipv6 binding IPv6 address MAC address Vlan Expires State Interface 2001:db8:fe10:: 00:10:94:00:55:0b vlan20 3456 BOUND ge-0/0/1.0 fe80::210:94ff:fe00:1 00:10:94:00:55:0b vlan20 3456 BOUND ge-0/0/1.0 2001:db8:fe12:: 00:10:94:00:00:34 vlan20 3456 BOUND ge-0/0/2.0 fe80::210:94ff:fe00:2 00:10:94:00:00:34 vlan20 3456 BOUND ge-0/0/2.0 2001:db8:fe14:: 00:10:94:00:00:55 vlan20 3456 BOUND ge-0/0/3.0 fe80::210:94ff:fe00:3 00:10:94:00:00:55 vlan20 3456 BOUND ge-0/0/3.0
Meaning
The output shows the assigned IPv6 addresses, the MAC address, the VLAN name,
and the time, in seconds, remaining before the lease expires. Because IPv6 hosts usually have
more than one IPv6 address assigned to each of their IPv6-enabled network interfaces, there
are two entries added for each client: one with the link-local IPv6 address, which is used
by the client for DHCP transactions, and another with the IPv6 address assigned by the server.
The link-local address always has the prefix fe80::/10.
Verifying That Neighbor Discovery Inspection Is Working Correctly on the Switch
Purpose
Verify that neighbor discovery inspection is working on the switch.
Action
Send neighbor discovery packets from network devices connected to the switch.
Display the neighbor discovery information:
user@switch> show dhcp-security neighbor-discovery-inspection statistics ND inspection statistics: Interface ND Packets received ND inspection pass ND inspection failed ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0
Meaning
The sample output shows the number of neighbor discovery packets received and inspected per interface, with a list of the number of packets that passed and the number of packets that failed the inspection on each interface. The switch compares the neighbor discovery requests and replies against the entries in the DHCPv6 snooping database. If a MAC address or IPv6 address in the neighbor discovery packet does not match a valid entry in the database, the packet is dropped.