- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
IPv6 Stateless Address Auto-configuration (SLAAC) Snooping
Understanding SLAAC Snooping
Dynamic address assignment is an important feature of IPv6 due to the vast increase in address space over IPv4. In addition to static addressing, IPv6 provides two options for clients to obtain addresses dynamically: DHCPv6 (stateful) and stateless address auto-configuration (SLAAC).
SLAAC simplifies IPv6 address management by providing plug-and-play IP connectivity with no manual configuration of hosts. SLAAC enables an IPv6 client to generate its own addresses using a combination of locally-available information and information advertised by routers through Neighbor Discovery Protocol (NDP).
NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. You must configure SLAAC snooping to validate IPv6 clients using SLAAC before allowing them to access the network.
SLAAC Process
The client begins auto-configuration by generating a link-local address for the IPv6-enabled interface. This is done by combining the advertised link-local prefix (first 64 bits) with the interface identifier (last 64 bits). The address is generated according to the following format: [fe80 (10 bits) + 0 (54 bits)] + interface ID (64 bits).
Before assigning the link-local address to its interface, the client verifies the address by running Duplicate Address Detection (DAD). DAD sends a Neighbor Solicitation message destined to the new address. If there is a reply, then the address is a duplicate and the process stops. If the address is unique, it is assigned to the interface.
To generate a global address, the client sends a Router Solicitation message to prompt all routers on the link to send Router Advertisement (RA) messages. Routers that are enabled to support SLAAC send an RA that contains a subnet prefix for use by neighboring hosts. The client appends the interface identifier to the subnet prefix to form a global address, and again runs DAD to confirm its uniqueness.
SLAAC Snooping
SLAAC is subject to the same security vulnerabilities found in NDP. You can configure SLAAC snooping to secure traffic from IPv6 clients using SLAAC for dynamic address assignment. For more information on NDP, see IPv6 Neighbor Discovery Inspection.
SLAAC snooping is similar to DHCP snooping, in that it snoops packets to build a table of IP-MAC address bindings. SLAAC snooping extracts address information from DAD packets exchanged during the SLAAC process to build the SLAAC snooping table. The address bindings in this table are used to inspect and validate NDP/IP packets sent by IPv6 clients using SLAAC.
Configuring SLAAC Snooping
SLAAC snooping is enabled on a per-VLAN basis. By default, SLAAC snooping is disabled for all VLANs.
To enable SLAAC, use the following commands:
Configuring Auto-DAD
If DAD is disabled on the client side, or DAD packets are dropped due to traffic congestion, SLAAC snooping will perform auto-DAD on behalf of the client. The client-generated address is in a tentative state until the DAD process is completed.
Auto-DAD sends a Neighbor Solicitation message with the client-generated address as a target, and waits for a Neighbor Advertisement in response. If there is a response, then the address is a duplicate and cannot be assigned to the client. If there is no response, then the address is confirmed.
The amount of time that auto-DAD waits for a response is 1 second by default, with no retries. You can configure the number of retries and the length of the interval between transmissions.
During a MAC move, the first Neighbor Solicitation packet will result in a SLAAC entry flush from the old port and the second will result in the creation of a SLAAC entry for the new port.
To configure the number of retries for auto-DAD parameters, use the following commands:
To configure the interval between auto-DAD transmissions, use the following commands:
For a specific interface:
content_copy zoom_out_map[edit] user@switch# set forwarding-options access-security slaac-snooping interface interface-name auto-dad retrans-interval seconds
For all interfaces:
content_copy zoom_out_map[edit] user@switch# set forwarding-options access-security slaac-snooping interface all auto-dad retrans-interval seconds
Configuring the Link-Local Address Expiration
The link-local address learned by SLAAC has a default expiration period of 1 day. When the lease for the address expires, the snooping device sends a DAD message with the client address as the target. If the client is still reachable, the lease is renewed.
To configure the length of the expiration period, use the following command:
[edit] user@switch# set forwarding-options access-security slaac-snooping link-local expiry interval seconds
Configuring the Allowed DAD Contentions
You can configure the maximum number of DAD contentions (Neighbor Solicitation or Neighbor Advertisement) messages for an interface. If the maximum number of contentions is exceeded during the allowed time interval, the interface is considered invalid and the SLAAC snooping table is not updated with any bindings for that client.
Maximum allowed contentions is configured on a per-interface basis, to allow for interfaces that belong to more than one VLAN.
To configure the maximum number of DAD contentions and the allowed time interval, use the following command:
[edit] user@switch# set forwarding-options access-security slaac-snooping interface interface-name max-allowed-contention count integer duration seconds
Configuring an Interface as Trusted for SLAAC Snooping
When you configure an interface as trusted, the binding entry for the interface is added to the SLAAC snooping table using the same process as for untrusted interfaces.
When a DAD request is received on a trusted port with an IP/MAC entry that already exists on an untrusted port, SLAAC snooping sends a unicast DAD towards the untrusted port to see whether the host is live.
If the host responds with an NA message on the untrusted port, the lease time is renewed for the existing binding entry.
If there is no response (NA) on the untrusted port, the corresponding binding entry is deleted.
If the entry for the untrusted port is deleted, the binding for the trusted port is not created immediately. When the trusted port starts to send data traffic, it will send an NS message. At that time, SLAAC snooping adds the new binding on the trusted port.
Router advertisement packets received on a trusted port are flooded to all the ports in that VLAN irrespective of the SLAAC entry for the receiving port.
Maximum number of DAD contentions is not applicable to trusted interfaces.
To configure an interface as trusted for SLAAC snooping, use the following command:
[edit] user@switch# set forwarding-options access-security slaac-snooping interface interface-name mark-interface trusted
Configuring Persistent SLAAC Snooping Bindings
The IP-MAC bindings in the DHCP snooping database file are not persistent. If the switch is rebooted, the bindings are lost. You can configure persistent bindings by specifying a local pathname or a remote URL for the storage location of the SLAAC snooping database file.
To configure persistent bindings for SLAAC snooping, use the following command:
[edit] user@switch# set system processes slaac-snooping persistent-file (local-pathname | remote-url) write-interval seconds
