This lab will discuss and demonstrate the configuration and verification of port security, DHCP snooping and dynamic ARP inspection used to prevent mac table poisoning, unauthorized dhcp servers and host spoofing.
Most inexperienced network engineers will take brand new Juniper switches out of the box, configure VLAN’s on them, setup the hostname, usernames, ssh, etc… assign ports to vlan’s and put it into production.
This approach works however it is lacking when it comes to layer 2 security.
Did you know that mac address poisoning can result in turning a $10,000 dollar switch into a really expensive hub? This of course is a type of layer 2 attack that attackers may use to gather information on the network using wireshark.
Another form of attack is a default gateway man in the middle attack which is commonly executed by placing an unauthorized rouge DHCP server on the network that hands out IP addresses in the same subnet as the target network with the default gateway being the attackers computer so traffic can be captured in real time for private information such as insecure transmissions which should be secured.
Also attackers may spoof MAC addresses of legitimate IP packets sourced to servers to data mine secure information as well.
These are all types of layer 2 attacks which can be mitigated however most engineers fail to act until its too late.
First lets look at secure access ports (known as Port Security on Cisco) by configuring a switch port to only allow specific MAC addresses or a limit of dynamic addresses. Why would you need this? This of course is intended to protect the MAC address table from being overloaded in a cam table attack which effectively overloads the MAC address table and turns the switch into a hub.
If you architect your layer 2 network correctly, there is no reason why a single cubical wall jack needs to have more than 3 MAC addresses. 1 for the phone, 1 for the phone switch and 1 for the desktop.
To configure a secure access port to only allow 3 MAC addresses, you’d use the following command;
set ethernet-switching-options secure-access-port interface ge-0/0/0 mac-limit 3 action shutdown
Also notice that you can set the action of the secure-access-port violation. In this case you can specify what the action is on a PER interface basis. You have 4 options to choose from, drop, log, none and shutdown whereas the default action is to drop traffic from mac addresses that violate the limit.
You also have the ability to limit a port to a single MAC address and statically define the mac address using the set ethernet-switching-options secure-access-port interface ge-0/0/0 allowed-mac 00:50:85:AA:BB:CC and limiting the MAC to 1.
Lastly is the ability to configure persistent mac address learning on a specific port. For example you’re having a printer installed in the office and you do not know the mac address of the printer yet however you want to ensure that when its plugged in, any other device plugged into the port with a different MAC address will have its traffic dropped. This can be done by limiting the MAC to 1 on the interface and setting the interface to persistent-learning use the set ethernet-switching-options secure-access-port interface ge-0/0/0 persistent-learning command.
To verify the secure access port mac address limit(s) and violations you’ll use the show ethernet-switching table interface ifname whereas ifname is the desired interface. An example has been provided below;
root@SW1> show ethernet-switching table interface ge-0/0/0 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces Sales * Flood - All-members Sales 00:1b:c0:5d:30:00 Learn 0 ge-0/0/0.0 root@SW1>
If you have having problems with a specific host communicating to network resources verify that the MAC address is in the mac table shown above on the specified interface. If it is not than traffic will be dropped by default unless the port is configured to shutdown when triggering a secure access port violation. Other commands can be used to determine rather or not packets are being dropped such as the show ethernet-switching statistics mac-learning command.
Next we’ll take a look at preventing unauthorized DHCP servers on the network by using DHCP spoofing. This technology is quite simple in that it has untrusted and trusted ports. Trusted ports are port where DHCP Servers are statically located whereas untrusted ports are commonly workstations, laptops or any other port you know should NOT be providing DHCP services.
DHCP Snooping is configured on a per vlan basis however the first step to configuring DHCP Snooping is to set the trusted interface(s) where you know DHCP Servers are located. This is done by using the set ethernet-switching-options secure-access-port interface ge-0/0/# dhcp-trusted whereas # is the interface number.
Once you have configured the trusted DHCP server interface(s) you must than configure dhcp snooping on a per vlan basis using the set ethernet-switching-options secure-access-port vlan NAME examine-dhcp whereas NAME is the name or vlan tag of the desired vlan.
To verify DHCP Snooping you’ll use the show dhcp snooping binding command in user mode.
Next up on the list to cover is Dynamic ARP Inspection, known as “DAI”. Dynamic ARP inspection builds an ARP table that matches the MAC addresses to IP addresses along with the lease time based on information provided by DHCP Server responses.
Dynamic ARP Inspection is used to protect against MAC spoofing and is enabled on a per VLAN basis using the set ethernet-switching-options secure-access-port vlan NAME arp-inspection where as the NAME is the name or TAG id of the desired VLAN.
To verify dynamic arp inspection you’d use the show arp inspection statistics which will give you a statistical table including information regarding each interface.
The last thing to discuss prior to getting into the lab is the mac move limit. You have the capability to set a mac move limit which determines how many times the same mac address has moved from one port to another port on the switch. This of course has a nice benefit as no single mac should be jumping from multiple switch ports in a given amount of time. This type of configuration is configured on a per vlan basis using the set ethernet-switching-options secure-access-port vlan Sales mac-move-limit # whereas # is the limit.
Also note that the default action for mac move limit violations is to drop the traffic however you can also specify the action of the mac move limit violation by appending action [drop/log/none/shutdown] to the specified vlan.
Now lets take a look at the lab. R1 is setup to receive a DHCP Address on the Sales VLAN. R2 is setup as a DHCP Server and R3 has been configured as a rogue DHCP Server. In this lab you will configure secure port access on interface Ge-0/0/0 of SW1 with a limit of 3 MAC addresses along with DHCP Snooping and Dynamic ARP inspection. To get started load the initial configs and check out the topology and objectives.
The following logical topology is used in all labs found through out Section 4 of the Junos Workbook;
To view the physical cabling topology please visit the Topology page.
Prior to starting this lab please zeroize R1, R2, R3 and SW1. Afterwards, log in to the lab devices using the root account and start a CLI session and load the following initial configuration(s) by copying and pasting them into the device console.
For the purposes of this lab, R2 has been configure as a DHCP Server for the VLAN_10 (Sales) handing out IP Addresses for the 10.48.10.0/24 network.
Also R3 has been configured as a rogue DHCP server handing out IP Addresses for the 192.168.0.0/24 subnet.
If you want to learn more about how to configure a Junos DHCP Server, please check out Lab 7-4 – Configuring Junos DHCP Services
This lab requires that you have access to real Juniper EX Series Switches and cannot be completed using the vSRX platform. If you do not have Juniper switches or you cannot
afford to purchase them than you can rent lab time on the Juno Lab provided by Junos Workbook where you have access to four EX3200-24 Switches and four J2320 routers which can
be used to complete this lab.
In this lab you will complete the following objectives.
It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.
If you are a student preparing for the Juniper JNCIA Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the
first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.
The follow lab instruction is performed on the Juno Lab provided by Junos Workbook which use real Juniper EX3200-24T switches. This lab cannot be performed on vSRX due to the lack of switching support.
root@SW1> configure Entering configuration mode  root@SW1# set ethernet-switching-options secure-access-port interface ge-0/0/0 mac-limit 3 action shutdown  root@SW1#
root@SW1# set ethernet-switching-options secure-access-port vlan Sales examine-dhcp  root@SW1# set ethernet-switching-options secure-access-port interface ge-0/0/1 dhcp-trusted  root@SW1#
root@SW1# set ethernet-switching-options secure-access-port vlan Sales arp-inspection  root@SW1#
root@R1> show interfaces ge-0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 133, SNMP ifIndex: 507 Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:1b:c0:5d:30:00, Hardware address: 00:1b:c0:5d:30:00 Last flapped : 2014-08-05 05:50:04 UTC (00:01:06 ago) Input rate : 232 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Interface transmit statistics: Disabled Logical interface ge-0/0/0.0 (Index 69) (SNMP ifIndex 508) Flags: SNMP-Traps 0x4000 Encapsulation: ENET2 Input packets : 6349 Output packets: 362 Security: Zone: trust Allowed host-inbound traffic : dhcp http https ssh telnet Protocol inet, MTU: 1500 Flags: Sendbcast-pkt-to-re, Is-Primary Addresses, Flags: Is-Default Is-Preferred Is-Primary Destination: 10.48.10/24, Local: 10.48.10.10, Broadcast: 10.48.10.255 root@R1> ping 10.48.10.1 count 4 PING 10.48.10.1 (10.48.10.1): 56 data bytes 64 bytes from 10.48.10.1: icmp_seq=0 ttl=64 time=3.607 ms 64 bytes from 10.48.10.1: icmp_seq=1 ttl=64 time=3.614 ms 64 bytes from 10.48.10.1: icmp_seq=2 ttl=64 time=3.437 ms 64 bytes from 10.48.10.1: icmp_seq=3 ttl=64 time=3.365 ms --- 10.48.10.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.365/3.506/3.614/0.108 ms root@R1>
Note: You may need to disable and enable the Ge-0/0/0 interface on R1 to receive a DHCP Address.
root@SW1> show ethernet-switching table interface ge-0/0/0 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces Sales * Flood - All-members Sales 00:1b:c0:5d:30:00 Learn 1:09 ge-0/0/0.0 root@SW1> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type VLAN Interface 00:1B:C0:5D:30:00 10.48.10.10 85924 dynamic Sales ge-0/0/0.0 root@SW1> show arp inspection statistics Interface Packets received ARP inspection pass ARP inspection failed ge-0/0/0 5 4 1 ge-0/0/1 2 2 0 ge-0/0/2 21 0 21 ge-0/0/3 0 0 0 ge-0/0/4 0 0 0 ge-0/0/5 0 0 0 ge-0/0/6 0 0 0 ge-0/0/7 0 0 0 ge-0/0/8 0 0 0 ge-0/0/9 0 0 0 ge-0/0/10 0 0 0 ge-0/0/11 0 0 0 ge-0/0/12 0 0 0 ge-0/0/13 0 0 0 ge-0/0/14 0 0 0 ge-0/0/15 0 0 0 ge-0/0/16 0 0 0 ge-0/0/17 0 0 0 ge-0/0/18 0 0 0 ge-0/0/19 0 0 0 ge-0/0/20 0 0 0 ge-0/0/21 0 0 0 ge-0/0/22 0 0 0 ge-0/0/23 0 0 0 root@SW1>