Table of Contents
Advertisement
Requirements
Overview and Topology
Copyright © 2010, Juniper Networks, Inc.
connected to untrusted access interfaces on the switch. You can enable the IP source
guard port security feature on EX Series switches to mitigate the effects of such attacks.
If IP source guard determines that a source IP address and a source MAC address in a
binding in an incoming packet are not valid, the switch does not forward the packet.
You can use IP source guard in combination with other EX Series switch features to
mitigate address-spoofing attacks on untrusted access interfaces. This example shows
two configuration scenarios:
Requirements on page 2881
Overview and Topology on page 2881
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic
ARP Inspection on page 2882
Configuring IP Source Guard on a Guest VLAN on page 2884
Verification on page 2887
This example uses the following hardware and software components:
Junos OS Release 9.2 or later for EX Series switches
An EX4200-24P switch
A DHCP server to provide IP addresses to network devices on the switch
A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for these scenarios, be sure you have:
Connected the DHCP server to the switch.
Connected the RADIUS server and configured user authentication on the RADIUS
server. See "Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch"
on page 2545.
Configured the VLANs on the switch. See "Example: Setting Up Bridging with Multiple
VLANs for EX Series Switches" on page 1312 for detailed information about configuring
VLANs.
IP source guard checks the IP source address and MAC source address in a packet sent
from a host attached to an untrusted access interface on the switch. If IP source guard
determines that the packet header contains an invalid source IP address or source MAC
address, it ensures that the switch does not forward the packet—that is, the packet is
discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP source
guard applies its checking rules to untrusted access interfaces on those VLANs. By default,
on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted.
IP source guard does not check packets that have been sent to the switch by devices
connected to either trunk interfaces or trusted access interfaces—that is, interfaces
Chapter 94: Examples: Port Security Configuration
2881
Advertisement
Chapters
Table of Contents
Troubleshooting
Related Manuals for Juniper JUNOS OS 10.3 - SOFTWARE
Related Products for Juniper JUNOS OS 10.3 - SOFTWARE
- Juniper IDP OS 5.1R1 - S REV 1
- Juniper JUNOS OS 10.4 - S REV 5
- Juniper JUNOS OS 10.4 - FOR EX REV 1
- Juniper JUNOS OS 10.4 - XML API OPERATIONAL
- Juniper IDP OS 5.1R1
- Juniper JUNOS SOFTWARE 10.2 - SOFTWARE INSTALLATION AND UPGRADE GUIDE 4-28-2010
- Juniper OCX1100
- Juniper ADVANCED INSIGHT SCRIPTS 2.5 - S REV 1