Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2620

Complete Software Guide for Junos
2524
®
OS for EX Series Ethernet Switches, Release 10.3
Out-of-Band Management—A dedicated management Ethernet port on the rear panel
allows out-of-band management.
Software Images—All Junos OS images are signed by Juniper Networks certificate
authority (CA) with public key infrastructure (PKI).
User Authentication, Authorization, and Accounting (AAA)—Features include:
User and group accounts with password encryption and authentication.
Access privilege levels configurable for login classes and user templates.
RADIUS authentication, TACACS+ authentication, or both, for authenticating users
who attempt to access the switch.
Auditing of configuration changes through system logging or RADIUS/TACACS+.
802.1X Authentication—Provides network access control. Supplicants (hosts) are
authenticated when they initially connect to a LAN. Authenticating supplicants before
they receive an IP address from a DHCP server prevents unauthorized supplicants from
gaining access to the LAN. EX Series switches support Extensible Authentication Protocol
(EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
Port Security—Access port security features include:
DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports;
builds and maintains an IP-address/MAC-address binding database (called the DHCP
snooping database).
Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests and
replies are compared against entries in the DHCP snooping database, and filtering
decisions are made based on the results of those comparisons.
MAC limiting—Protects against flooding of the Ethernet switching table.
MAC move limiting—Detects MAC movement and MAC spoofing on access ports.
Trusted DHCP server—With a DHCP server on a trusted port, protects against rogue
DHCP servers sending leases.
IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet
LAN. The source IP address in the packet sent from an untrusted access interface is
validated against the source MAC address in the DHCP snooping database. The packet
is allowed for further processing if the source IP address to source MAC address binding
is valid; if the binding is not valid, the packet is discarded.
DHCP option 82—Also known as the DHCP relay agent information option. Helps
protect the EX Series switch against attacks such as spoofing (forging) of IP addresses
and MAC addresses and DHCP IP address starvation. Option 82 provides information
about the network location of a DHCP client, and the DHCP server uses this information
to implement IP addresses or other parameters for the client.
Unrestricted proxy ARP—The switch responds to all ARP messages with its own MAC
address. Hosts that are connected to the switch's interfaces cannot communicate
Copyright © 2010, Juniper Networks, Inc.