Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2984

Complete Software Guide for Junos
Action
Meaning
Related
Documentation
Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with
a Voice VLAN
2888
®
OS for EX Series Ethernet Switches, Release 10.3
Send some DHCP requests from network devices (here they are DHCP clients) connected
to the switch.
Use the
show dhcp snooping binding
when the interface on which the DHCP server connects to the switch is trusted. View the
MAC addresses from which requests were sent and the IP addresses and leases provided
by the server.
Use the
show ip-source-guard
VLAN.
When the interface on which the DHCP server connects to the switch has been set to
trusted, the output shows, for each MAC address, the assigned IP address and lease
time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses
have no assigned lease time. Statically configured entries never expire.
The IP source guard database table contains the VLANs enabled for IP source guard, the
untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any,
and the IP addresses and MAC addresses that are bound to one another. If a switch
interface is associated with multiple VLANs and some of those VLANs are enabled for
IP source guard and others are not, the VLANs that are not enabled for IP source guard
have a star (*) in the
IP Address
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 2849
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch on
page 2580
Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with
a Voice VLAN on page 2888
Configuring IP Source Guard (CLI Procedure) on page 2923
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source
IP addresses or source MAC addresses. These spoofed packets are sent from hosts
connected to untrusted access interfaces on the switch. You can enable the IP source
guard port security feature on EX Series switches to mitigate the effects of such attacks.
If IP source guard determines that a source IP address and a source MAC address in a
binding in an incoming packet are not valid, the switch does not forward the packet.
If two VLANs share an interface, you can configure IP source guard on just one of the
VLANs; in this example, you configure IP source guard on an untagged data VLAN but
not on the tagged voice VLAN. You can use 802.1X user authentication to validate the
device connections on the data VLAN.
command to display the DHCP snooping information
command to view IP source guard information for the
and fields.
MAC Address
Copyright © 2010, Juniper Networks, Inc.