Configuring IP Source Guard (non-ELS)
You can use the IP source guard access port security feature on EX Series switches to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, it ensures that the switch does not forward the packet—that is, the packet is discarded.
You enable the IP source guard feature on VLANs. You can enable it on a specific VLAN, on all VLANs, or on a VLAN range.
IP source guard applies only to access interfaces and only to untrusted interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or an interface set to dhcp-trusted, the CLI shows an error when you try to commit the configuration.
You can use IP source guard together with 802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.
While implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:
If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.
If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.
Configuring IP Source Guard
Before you configure IP source guard, be sure that you have:
Explicitly enabled DHCP snooping on the specific VLAN or specific VLANs on which you will configure IP source guard. See Enabling DHCP Snooping (non-ELS). If you configure IP source guard on specific VLANs rather than on all VLANs, you must also enable DHCP snooping explicitly on those VLANs. Otherwise, the default value of no DHCP snooping applies to that VLAN.
To configure IP source guard:
On a specific VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name ip-source-guard
On all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all ip-source-guard
On a VLAN range:
Set the VLAN range:
[edit vlans] user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high
Associate an interface with the VLAN-range and set the port mode to access:
[edit interfaces] user@switch# set interface-name unit 0 family ethernet-switching port-mode access vlan members vlan-name
Enable IP source guard on the VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name ip-source-guard
To commit these changes to the active configuration, type the commit
command at the user prompt.
Configuring IPv6 Source Guard
Before you configure IPv6 source guard, be sure that you have:
Explicitly enabled DHCPv6 snooping on the specific VLAN or specific VLANs on which you will configure IPv6 source guard. See Enabling DHCP Snooping (non-ELS). If you configure IPv6 source guard on specific VLANs rather than on all VLANs, you must also enable DHCPv6 snooping explcitly on those VLANs. Otherwise, the default value of no DHCPv6 snooping applies to that VLAN.
Set the maximum number of IPv6 source guard sessions:
[edit ethernet-switching-options secure-access-port] user@switch# set ipv6-source-guard-sessions max-number maximum-number
Note:After setting or changing the maximum number of IPv6 source guard sessions and committing the configuration, you must reboot the switch for the configuration to take effect.
To configure IPv6 source guard:
On a specific VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name ipv6-source-guard
On all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all ipv6-source-guard
On a VLAN range:
Set the VLAN range):
[edit vlans] user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high
Associate an interface with a VLAN-range and set the port mode to access:
[edit interfaces] user@switch# set interface-name unit 0 family ethernet-switching port-mode access vlan members vlan-name
Enable IPv6 source guard on the VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name ipv6-source-guard
To commit these changes to the active configuration, type the commit
command at the user prompt.
Disabling IP Source Guard
You can disable IP source guard for a specific VLAN after you have enabled the feature for all VLANs, or for all VLANs.
To disable IP source guard on a specific VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name no-ip-source-guard
To disable IP source guard on all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all no-ipv6-source-guard
Replace no-ip-source-guard
with no-ipv6-source-guard
to disable IPv6 source guard.