Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Requirements

• An EX Series switch
• Junos OS Release 9.2 or later for EX Series switches
• A DHCP server to provide IP addresses to network devices on the switch
• A RADIUS server to provide 802.1X authentication

• Connected the DHCP server to the switch.
• Connected the RADIUS server to the switch and configured user authentication on the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
• Configured VLANs on the switch. In this example, we have two VLANs, which are named DATA and GUEST. The DATA VLAN is configured with vlan-id 300. The GUEST VLAN (which functions as the guest VLAN) is configured with vlan-id 100. See Example: Setting Up Bridging with Multiple VLANs for EX Series Switches for detailed information about configuring VLANs.

Overview and Topology

IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded.

When you configure IP source guard, you enable it on one or more VLANs. IP source guard applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or trusted access interfaces—that is, interfaces configured with dhcp-trusted. A DHCP server can be connected to a dhcp-trusted interface to provide dynamic IP addresses.

IP source guard obtains information about IP-addresses, MAC-addresses, or VLAN bindings from the DHCP snooping database, which enables the switch to validate incoming IP packets against the entries in that database.

The topology for this example includes an EX Series switch, which is connected to both a DHCP server and to a RADIUS server.

Note: The 802.1X user authentication applied in this example is for single-supplicant mode. You can use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines: If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership. If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

In the first configuration example, two clients (network devices) are connected to an access switch. You configure IP source guard and 802.1X user authentication, in combination with two access port security features: DHCP snooping and dynamic ARP inspection (DAI). This setup is designed to protect the switch from IP attacks such as ping of death attacks, DHCP starvation, and ARP spoofing.

In the second configuration example, the switch is configured for 802.1X user authentication. If the client fails authentication, the switch redirects the client to a guest VLAN that allows this client to access a set of restricted network features. You configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.

Tip: You can set the ip-source-guard flag in the traceoptions statement for debugging purposes.

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection

CLI Quick Configuration

To quickly configure IP source guard with 802.1X authentication and with other access port security features, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the DATA VLAN:
   [edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan members DATA

2. Associate two other access interfaces (untrusted) with the DATA VLAN:
   [edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members DATA
user@switch# set ge-0/0/1 unit 0 family ethernet-switching vlan members DATA

3. Configure 802.1X user authentication and LLDP-MED on the two interfaces that you associated with the DATA VLAN:
   [edit protocols]
user@switch# set lldp-med interface ge-0/0/0.0
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single
user@switch# set lldp-med interface ge-0/0/1.0
user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single

4. Configure three access port security features—DHCP snooping, dynamic ARP inspection (DAI), and IP source guard—on the DATA VLAN:
   [edit ethernet-switching-options]
user@switch# set secure-access-port vlan DATA examine-dhcp
user@switch# set secure-access-port vlan DATA arp-inspection
user@switch# set secure-access-port vlan DATA ip-source-guard


Results

Configuring IP Source Guard on a Guest VLAN

CLI Quick Configuration

To quickly configure IP source guard on a guest VLAN, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the GUEST VLAN:
   [edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members GUEST

2. Configure two interfaces for the access port mode:
   [edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode access
user@switch# set ge-0/0/1 unit 0 family ethernet-switching port-mode access

3. Configure DHCP snooping and IP source guard on the GUEST VLAN:
   [edit ethernet-switching-options]
user@switch# set secure-access-port vlan GUEST examine-dhcp
user@switch# set secure-access-port vlan GUEST ip-source-guard

4. Configure a static IP address on each of two (untrusted) interfaces on the GUEST VLAN (optional):
   [edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/0 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan GUEST
   [edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/1 static-ip 11.1.1.2 mac 00:22:22:22:22:22 vlan GUEST

5. Configure 802.1X user authentication:
   [edit protocols]
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/0 supplicant single
user@switch# set dot1x authenticator interface ge-0/0/1 supplicant single
user@switch# set dot1x authenticator interface ge-0/0/0 supplicant-timeout 2
user@switch# set dot1x authenticator interface ge-0/0/1 supplicant-timeout 2


Results

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying That 802.1X User Authentication Is Working on the Interface
• Verifying the VLAN Association with the Interface
• Verifying That DHCP Snooping Is Working on the VLAN
• Verifying That IP Source Guard Is Working on the VLAN

Verifying That 802.1X User Authentication Is Working on the Interface

Purpose

Verify that the 802.1X configuration is working on the interface.

Action

ge-0/0/0.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Single
  Number of retries: 2
  Quiet period: 30 seconds
  Transmit period: 15 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 2 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 1
  Guest VLAN member: GUEST
  Number of connected supplicants: 1
    Supplicant: md5user01, 00:30:48:90:53:B7
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Radius
      Authenticated VLAN: DATA
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3581 seconds

Meaning

The Supplicant mode field displays the configured administrative mode for each interface. The Guest VLAN member field displays the VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. The Authenticated VLAN field displays the VLAN to which the supplicant is connected.

Verifying the VLAN Association with the Interface

Purpose

Verify interface states and VLAN memberships.

Action

Interface    State  VLAN members        Tag   Tagging  Blocking 
ge-0/0/0.0  up     DATA                101   untagged unblocked
ge-0/0/1.0  up     DATA                101   untagged unblocked
ge-0/0/24   up     DATA                101   untagged unblocked

Meaning

The VLAN members field shows the associations between VLANs and interfaces. The State field shows whether the interfaces are up or down.

For the guest VLAN configuration, the interface is associated with the guest VLAN if and when the supplicant fails 802.1X user authentication.

Verifying That DHCP Snooping Is Working on the VLAN

Purpose

Verify that DHCP snooping is enabled and working on the VLAN. Send some DHCP requests from network devices (DHCP clients) connected to the switch.

Action

DHCP Snooping Information:
MAC address        IP address        Lease (seconds)  Type     VLAN    Interface
00:30:48:90:53:B7  212.2.1.241                 86392  dynamic  DATA    ge-0/0/24.0

Meaning

When the interface on which the DHCP server connects to the switch has been set to dhcp-trusted, the output shows for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire.

Verifying That IP Source Guard Is Working on the VLAN

Purpose

Verify that IP source guard is enabled and working on the VLAN.

Action

IP source guard information:
Interface    Tag   IP Address       MAC Address         VLAN
ge-0/0/0.0  0     212.2.1.242      00:30:48:90:63:B7   DATA       
ge-0/0/1.0  0     212.2.1.243      00:30:48:90:73:B7   DATA 

Meaning

The IP source guard database table contains the VLANs for which IP source guard is enabled, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs have IP source guard enabled (or configured) while others do not have IP source guard enabled, the VLANs that do not have IP source guard enabled have a star (*) in the IP Address and MAC Address fields.