Understanding IP Source Guard for Port Security on Switches

IP Address Spoofing

Hosts on access interfaces can spoof source IP addresses and source MAC addresses by flooding the switch with packets containing invalid addresses. Such attacks combined with other techniques such as TCP SYN flood attacks can cause denial-of-service (DoS) attacks. With source IP address or source MAC address spoofing, the system administrator cannot identify the source of the attack. The attacker can spoof addresses on the same subnet or on a different subnet.

How IP Source Guard Works

IP source guard examines each packet sent from a host attached to an untrusted access interface on the switch. The IP address, MAC address, VLAN and interface associated with the host is checked against entries stored in the DHCP snooping database. If the packet header does not match a valid entry in the DHCP snooping database, the switch does not forward the packet—that is, the packet is discarded.

IP source guard examines packets sent from untrusted access interfaces on those VLANs. By default, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not examine packets that have been sent to the switch by devices connected to trusted interfaces so that a DHCP server can be connected to that interface to provide dynamic IP addresses.

IPv6 Source Guard

IPv6 source guard is available on switches that support DHCPv6 snooping. To determine whether your switch supports DHCPv6 snooping, see Feature Explorer.

The DHCP Snooping Table

IP source guard obtains information about IP address to MAC address bindings (IP-MAC binding) from the DHCP snooping table, also known as the DHCP binding table. The DHCP snooping table is populated either through dynamic DHCP snooping or through configuration of specific static IP address to MAC address bindings. For more information about the DHCP snooping table, see Understanding DHCP Snooping (ELS).

To display the DHCP snooping table, issue the operational mode command that appears in the switch CLI.

For DHCP snooping:

• (For non-ELS switches) show ip-source-guard

• (ELS switches only) show dhcp-security binding

For DHCPv6 snooping:

• (For non-ELS switches) show dhcpv6 snooping binding

• (ELS switches only) show dhcp-security ipv6 binding

Typical Uses of Other Junos OS Features with IP Source Guard

You can configure IP source guard with various other port security features including:

• VLAN tagging (used for voice VLANs)

• GRES (graceful Routing Engine switchover)

• Virtual Chassis configurations

• Link aggregation groups (LAGs)

• 802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.

  Note:

  While implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:

  • If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership. This also applies to IPv6 source guard and DHCPv6 snooping.

  • If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership. This also applies to IPv6 source guard and DHCPv6 snooping.