Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2962

Complete Software Guide for Junos
Meaning
Related
Documentation
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing
Attacks
Requirements
2866
®
OS for EX Series Ethernet Switches, Release 10.3
default 00:05:85:3A:82:85
The sample output shows that with a MAC limit of
for a fourth MAC address on
Because only 3 MAC addresses can be learned on each of the two interfaces, attempted
DHCP starvation attacks will fail.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 2849
Configuring MAC Limiting (CLI Procedure) on page 2915
Configuring MAC Limiting (J-Web Procedure) on page 2917
In an ARP spoofing attack, the attacker associates its own MAC address with the IP
address of a network device connected to the switch. Traffic intended for that IP address
is now sent to the attacker instead of being sent to the intended destination. The attacker
can send faked, or "spoofed," ARP messages on the LAN.
NOTE: On EX Series switches, when dynamic ARP inspection (DAI) is enabled,
the switch logs the number of invalid ARP packets that it receives on each
interface, along with the sender's IP and MAC addresses. You can use these
log messages to discover ARP spoofing on the network.
This example describes how to configure DHCP snooping and dynamic ARP inspection
(DAI), two port security features, to protect the switch against ARP spoofing attacks:
Requirements on page 2866
Overview and Topology on page 2867
Configuration on page 2868
Verification on page 2869
This example uses the following hardware and software components:
One EX Series switch
Junos OS Release 9.0 or later for EX Series switches
A DHCP server to provide IP addresses to network devices on the switch
Learn
for each interface, the DHCP request
3
was dropped because it exceeded the MAC limit.
ge-0/0/2
0 ge-0/0/2.0
Copyright © 2010, Juniper Networks, Inc.