Example: Configuring MAC Limiting
Example: Protecting against DHCP Starvation Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests from spoofed (counterfeit) MAC addresses, causing the switch's overworked DHCP server to stop assigning IP addresses and lease times to legitimate DHCP clients on the switch (hence the name starvation). Requests from those clients are either dropped or directed to a rogue DHCP server set up by the attacker.
This example describes how to configure MAC limiting, a port security feature, to protect the switch against DHCP starvation attacks:
Requirements
This example uses the following hardware and software components:
One EX Series or QFX3500 switch
Junos OS Release 9.0 or later for EX Series switches, or Junos OS Release 12.1 or later for the QFX Series switch
A DHCP server to provide IP addresses to network devices on the switch
Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation attacks, be sure you have:
Connected the DHCP server to the switch.
Configured the VLAN employee-vlan on the switch.
Overview and Topology
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch against one common type of attack, a DHCP starvation attack.
This example shows how to configure port security features on a switch connected to a DHCP server. The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN on an EX Series switch is described in the topic, Example: Setting Up Bridging with Multiple VLANs for EX Series Switches. The procedure is not repeated here.
Figure 1 illustrates the topology for this example.
Topology
The components of the topology for this example are shown in Table 1.
| Properties | Settings |
|---|---|
Switch hardware |
QFX3500 switch |
VLAN name and ID |
employee-vlan |
Interfaces in employee-vlan |
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8 |
Interface for DHCP server |
ge-0/0/8 |
In this example, the switch has already been configured as follows:
Secure port access is activated on the switch.
No MAC limit is set on any of the interfaces.
DHCP snooping is disabled on the VLAN employee-vlan.
All access interfaces are untrusted, which is the default setting.
Configuration
To configure the MAC limiting port security feature to protect the switch against DHCP starvation attacks:
Procedure
CLI Quick Configuration
To quickly configure MAC limiting, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 3 action drop set interface ge-0/0/2 mac-limit 3 action drop
Step-by-Step Procedure
Configure MAC limiting:
Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge–0/0/1mac-limit 3 action drop
Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 mac-limit 3 action drop
Results
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 3 action drop;
}
interface ge-0/0/2.0 {
mac-limit 3 action drop;
}
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch
Purpose
Verify that MAC limiting is working on the switch.
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.
Display the MAC addresses learned when DHCP requests are sent from hosts on ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3 with the action drop:
user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type Age Interfaces default * Flood - ge-0/0/2.0 default 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0 default 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0 default 00:05:85:3A:82:80 Learn 0 ge-0/0/1.0 default 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 default 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 default 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 3 for each interface, the DHCP request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit.
Because only 3 MAC addresses can be learned on each of the two interfaces, attempted DHCP starvation attacks will fail.
Example: Protecting against Rogue DHCP Server Attacks
In a rogue DHCP server attack, an attacker has introduced a rogue server into the network, allowing it to give IP address leases to the network's DHCP clients and to assign itself as the gateway device.
This example describes how to configure a DHCP server interface as untrusted to protect the switch from a rogue DHCP server:
Requirements
This example uses the following hardware and software components:
One EX Series switch or one QFX3500 switch
Junos OS Release 9.0 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series
A DHCP server to provide IP addresses to network devices on the switch
Before you configure an untrusted DHCP server interface to mitigate rogue DHCP server attacks, be sure you have:
Connected the DHCP server to the switch.
Enabled DHCP snooping on the VLAN.
Configured a VLAN on the switch. See the task for your platform:
Overview and Topology
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from rogue DHCP server attacks.
This example shows how to explicitly configure an untrusted interface on an EX3200-24P switch and a QFX3500 switch. Figure 2 illustrates the topology for this example.
Topology
The components of the topology for this example are shown in Table 2.
| Properties | Settings |
|---|---|
Switch hardware |
One EX3200-24P, 24 ports (8 PoE ports) or one QFX3500 switch |
VLAN name and ID |
employee-vlan, tag 20 |
VLAN subnets |
192.0.2.16/28 192.0.2.17 through 192.0.2.30192.0.2.31 is the subnet's broadcast address |
Interfaces in employee-vlan |
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8 |
Interface for DHCP server |
ge-0/0/8 |
In this example, the switch has already been configured as follows:
Secure port access is activated on the switch.
DHCP snooping is enabled on the VLAN employee-vlan.
The interface (port) where the rogue DHCP server has connected to the switch is currently trusted.
Configuration
To configure the DHCP server interface as untrusted because the interface is being used by a rogue DHCP server:
Procedure
CLI Quick Configuration
To quickly set the rogue DHCP server interface as untrusted, copy the following command and paste it into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/8 no-dhcp-trusted
Step-by-Step Procedure
To set the DHCP server interface as untrusted:
Specify the interface (port) from which DHCP responses are not allowed:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 no-dhcp-trusted
Results
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
Verification
Confirm that the configuration is working properly.
Verifying That the DHCP Server Interface Is Untrusted
Purpose
Verify that the DHCP server is untrusted.
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.
Display the DHCP snooping information when the port on which the DHCP server connects to the switch is not trusted.
Meaning
There is no output from the command because no entries are added to the DHCP snooping database.
Example: Protecting against Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests from new MAC addresses that the Ethernet switching table fills up and then overflows, forcing the switch to broadcast all messages.
This example describes how to configure MAC limiting and allowed MAC addresses, two port security features, to protect the switch from Ethernet switching table attacks:
Requirements
This example uses the following hardware and software components:
One EX Series switch or QFX3500 switch
Junos OS Release 9.0 or later for EX Series switches or Junos OS 12.1 or later for the QFX Series.
A DHCP server to provide IP addresses to network devices on the switch
Before you configure specific port security features to mitigate common access-interface attacks, be sure you have:
Connected the DHCP server to the switch.
Configured a VLAN on the switch. See the task for your platform:
Overview and Topology
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from an attack on the Ethernet switching table that causes the table to overflow and thus forces the switch to broadcast all messages.
This example shows how to configure port security features on a switch connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic Example: Setting Up Bridging with Multiple VLANs for EX Series Switches and Example: Setting Up Bridging with Multiple VLANs for the QFX Series. That procedure is not repeated here. Figure 3 illustrates the topology for this example.
Topology
The components of the topology for this example are shown in Table 3.
| Properties | Settings |
|---|---|
Switch hardware |
One EX Series switch or one QFX3500 switch |
VLAN name and ID |
employee-vlan, tag 20 |
VLAN subnets |
192.0.2.16/28192.0.2.17 through 192.0.2.30 192.0.2.31 is subnet's broadcast address |
Interfaces in employee-vlan |
ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8 |
Interface for DHCP server |
ge-0/0/8 |
In this example, use the MAC limit feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface. Use the allowed MAC addresses feature to ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table.
In this example, the switch has already been configured as follows:
Secure port access is activated on the switch.
No MAC limit is set on any of the interfaces.
All access interfaces are untrusted, which is the default setting.
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch against Ethernet switching table overflow attacks:
Procedure
CLI Quick Configuration
To quickly configure MAC limiting, clear the MAC forwarding table, and configure some allowed MAC addresses, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 4 action drop set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 exit exit clear ethernet-switching-table interface ge-0/0/1
Step-by-Step Procedure
Configure MAC limiting and some allowed MAC addresses:
Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with different addresses be dropped once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 4 action drop
Clear the current entries for interface ge-0/0/1 from the MAC address forwarding table :
user@switch# clear ethernet-switching-table interface ge-0/0/1
Configure the allowed MAC addresses on ge-0/0/2:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Results
Check the results of the configuration:
[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 4 action drop;
}
interface ge-0/0/2.0 {
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 ];
}
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch
Purpose
Verify that MAC limiting is working on the switch.
Action
Display the MAC cache information after DHCP requests have been sent from hosts on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after four allowed MAC addresses have been configured on interface ge/0/0/2:
user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type Age Interfaces employee-vlan 00:05:85:3A:82:71 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:74 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0 employee-vlan * Flood 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0 employee-vlan * Flood - ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 4 for the interface, the DHCP request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the MAC limit and that only the specified allowed MAC addresses have been learned on the ge-0/0/2 interface.