Table of Contents
Advertisement
Complete Software Guide for Junos
Chapter 94
l
®
OS for EX Series Ethernet Switches, Release 10.3
DHCP Snooping Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2829
DHCP Snooping Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2830
DHCP Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2831
Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN . . 2831
Switch Acts as DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2832
Switch Acts as Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2833
DHCP Snooping Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2834
Static IP Address Additions to the DHCP Snooping Database . . . . . . . . . . 2834
Snooping DHCP Packets That Have Invalid IP Addresses . . . . . . . . . . . . . 2834
Understanding DAI for Port Security on EX Series Switches . . . . . . . . . . . . . . . 2836
Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2836
ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2836
DAI on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2837
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2838
MAC Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2838
MAC Move Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2838
Actions for MAC Limiting and MAC Move Limiting . . . . . . . . . . . . . . . . . . . 2839
MAC Addresses That Exceed the MAC Limit or MAC Move Limit . . . . . . . . 2839
Understanding Trusted DHCP Servers for Port Security on EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2840
DHCP Option 82 Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2840
Suboption Components of Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2841
Configurations of the EX Series Switch That Support Option 82 . . . . . . . . 2842
Switch and Clients Are on Same VLAN as DHCP Server . . . . . . . . . . . 2842
Switch Acts as Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2842
IP Address Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2844
How IP Source Guard Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2844
The IP Source Guard Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2844
Typical Uses of Other Junos Operating System (Junos OS) Features with
IP Source Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2845
Understanding Proxy ARP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . 2846
Proxy ARP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2846
Best Practices for Proxy ARP on EX Series Switches . . . . . . . . . . . . . . . . . . 2847
Examples: Port Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2849
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX Series Switch . . . . . . . . . . . . . . . . . . . . 2849
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC
Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2856
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch
from Rogue DHCP Server Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2859
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2863
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
Related Manuals for Juniper JUNOS OS 10.3 - SOFTWARE
Related Products for Juniper JUNOS OS 10.3 - SOFTWARE
- Juniper IDP OS 5.1R1 - S REV 1
- Juniper JUNOS OS 10.4 - S REV 5
- Juniper JUNOS OS 10.4 - FOR EX REV 1
- Juniper JUNOS OS 10.4 - XML API OPERATIONAL
- Juniper IDP OS 5.1R1
- Juniper JUNOS SOFTWARE 10.2 - SOFTWARE INSTALLATION AND UPGRADE GUIDE 4-28-2010
- Juniper OCX1100
- Juniper ADVANCED INSIGHT SCRIPTS 2.5 - S REV 1