Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks

    In a rogue DHCP server attack, an attacker has introduced a rogue server into the network, allowing it to give IP address leases to the network's DHCP clients and to assign itself as the gateway device.

    This example describes how to configure a DHCP server interface as untrusted to protect the switch from a rogue DHCP server:

    Requirements

    This example uses the following hardware and software components:

    • One EX Series switch or one QFX3500 switch
    • Junos OS Release 9.0 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series
    • A DHCP server to provide IP addresses to network devices on the switch

    Before you configure an untrusted DHCP server interface to mitigate rogue DHCP server attacks, be sure you have:

    Overview and Topology

    Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from rogue DHCP server attacks.

    This example shows how to explicitly configure an untrusted interface on an EX3200-24P switch and a QFX3500 switch. Figure 1 illustrates the topology for this example.

    Figure 1: Network Topology for Basic Port Security

    Network Topology for Basic Port Security

    The components of the topology for this example are shown in Table 1.

    Table 1: Components of the Port Security Topology

    PropertiesSettings

    Switch hardware

    One EX3200-24P, 24 ports (8 PoE ports) or one QFX3500 switch

    VLAN name and ID

    employee-vlan, tag 20

    VLAN subnets

    192.0.2.16/28
    192.0.2.17 through 192.0.2.30
    192.0.2.31 is the subnet's broadcast address

    Interfaces in employee-vlan

    ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

    Interface for DHCP server

    ge-0/0/8

    In this example, the switch has already been configured as follows:

    • Secure port access is activated on the switch.
    • DHCP snooping is enabled on the VLAN employee-vlan.
    • The interface (port) where the rogue DHCP server has connected to the switch is currently trusted.

    Configuration

    To configure the DHCP server interface as untrusted because the interface is being used by a rogue DHCP server:

    CLI Quick Configuration

    To quickly set the rogue DHCP server interface as untrusted, copy the following command and paste it into the switch terminal window:

    [edit ethernet-switching-options secure-access-port]
    set interface ge-0/0/8 no-dhcp-trusted

    Step-by-Step Procedure

    To set the DHCP server interface as untrusted:

    • Specify the interface (port) from which DHCP responses are not allowed:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface ge-0/0/8 no-dhcp-trusted

    Results

    Check the results of the configuration:

    [edit ethernet-switching-options secure-access-port]user@switch# show
    interface ge-0/0/8.0 {no-dhcp-trusted;}

    Verification

    Confirm that the configuration is working properly.

    Verifying That the DHCP Server Interface Is Untrusted

    Purpose

    Verify that the DHCP server is untrusted.

    Action

    1. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.
    2. Display the DHCP snooping information when the port on which the DHCP server connects to the switch is not trusted.

    Meaning

    There is no output from the command because no entries are added to the DHCP snooping database.

     

    Related Documentation

     

    Published: 2013-08-15

    Previous Page Next Page