Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 3210

Complete Software Guide for Junos
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP
Inspection
CLI Quick
Configuration
3106
®
OS for EX Series Ethernet Switches, Release 10.4
configured with
dhcp-trusted
to provide dynamic IP addresses.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings
from the DHCP snooping database. It causes the switch to validate incoming IP packets
against the entries in that database.
The topology for this example includes an EX-4200-24P switch, a connection to a DHCP
server, and a connection to a RADIUS server for user authentication.
NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode
do not work with IP source guard. For more information about 802.1X
authentication, see "Understanding Authentication on EX Series Switches"
on page 2746.
In the first example configuration, two clients (network devices) are connected to an
access switch. You configure IP source guard and 802.1X user authentication, in
combination with two access port security features: DHCP snooping and dynamic ARP
inspection (DAI). This setup is designed to protect the switch from IP attacks such as
"ping of death" attacks, DHCP starvation, and ARP spoofing.
In the second example configuration, the switch is configured for 802.1X user
authentication. If the client fails authentication, the switch redirects the client to a guest
VLAN that allows this client to access a set of restricted network features. You configure
IP source guard on the guest VLAN to mitigate effects of source IP spoofing.
NOTE: Control-plane rate limiting is achieved by restricting CPU control-plane
protection. It can be used in conjunction with storm control (see
"Understanding Storm Control on EX Series Switches" on page 3013) to limit
data-plane activity.
TIP: You can set the
debugging purposes.
To quickly configure IP source guard with 802.1X authentication and with other access
port security features, copy the following commands and paste them into the switch
terminal window:
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted
set ethernet-switching-options secure-access-port vlan data examine-dhcp
set ethernet-switching-options secure-access-port vlan data arp-inspection
set ethernet-switching-options secure-access-port vlan data ip-source-guard
so that a DHCP server can be connected to that interface
flag in the
ip-source-guard
Copyright © 2010, Juniper Networks, Inc.
statement for
traceoptions