Switching

Will IP source guard work with 802.1x authentication configured as single secure mode. We already have DHCP snooping and DAI configured on the switch as well.

Regards

Tayyab

hi,

http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/port-security-ip-source-guard-plus-other-switch-features.html describes similar scenario, seems to be possible.

jtb

Hi jtb

kindly refer to the following part of the document.

ote: The 802.1X user authentication applied in this example is for single supplicants.

You can also use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines:

• If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.
• If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

Can you through some light on that.

regards

Tayyab

Exactly what in the note would like to know more about or would you like more light to be shed on? It does support and answer your question, but it also goes further in explaining the various scenarios. Are your clients experiencing issues when you have configured it? Do you have a scenario that you are trying to deploy that you think may not  work?

hi,

As far as I understand it (not 100% sure, not tested) the note discusses interface configuration with MAC-based VLANs and Dynamic VLANs.

Dynamic VLAN assignment:

• http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/802-1x-pnac-dynamic-vlan-understanding.html 
• nice example at http://daemonkeeper.net/638/configure-mac-based-vlan-assignment-with-freeradius-and-junos/

Note says, all VLANs that egress such a interface must have IP source guard and DHCP snooping enabled.

Do you have MAC RADIUS Authentication + Dynamic VLANs ? If not, not note does not apply to you.

I don't know why it only talks about MAC-based VLANs.

That's how I understand the note, anyway I would start with tests (as usual)

jtb

Hi jtb

Thanks for your reply. In our case this is a simple case of customer requesting that security features should be enabled on juniper access switches. The users authenticating are already using 802.1x single-secure mode authentication with a radius server. When DHCP-snooping and DAI are enabled, every thing is working but as soon as we enable IP source guard on the vlans on access switches things stop working.

The customer is not using the following

1. MAC Radius

2. MAC base vlans ( just normal vlans)

Also the link shared by you is still only using single mode authentication.

Thanks

Tayyab

hi,

... things stop working - 802.1x, DHCP, DAI, user traffic affected ? If the problem is clear I would suggest to look at it in a lab, test different scenarios (like supplicant mode) and/or call JTAC.

jtb

Exactly what do you mean by things stop working? Are the clients configured with static IP Addresses? Are there multiple clients attached to one port? Instead of single secure, maybe multiple? there is a lot of things we do not know about the environment that could affect the outcome. They are all meant to compliment each other. We have no idea types of clients. If the customer is using vlans, and you have RADIUS also, then you need configure the VLANS on your switch and ensure that the same vlans are also configured for the RADIUS server to assign the clients.

Hi Tayyab

for static IP use

set ethernet-switching-options secure-access-port interface ge-0/0/10.0 static-ip 20.20.20.1 vlan vlanx

set ethernet-switching-options secure-access-port interface ge-0/0/10.0 static-ip 20.20.20.1 mac 00:xx

on uplink port

set ethernet-switching-options secure-access-port interface ge-0/0/23.0 dhcp-trusted

for rest of trafic you can add this.

set ethernet-switching-options secure-access-port vlan all arp-inspection

set ethernet-switching-options secure-access-port vlan all examine-dhcp

set ethernet-switching-options secure-access-port vlan all ip-source-guard

Thanks Abdul

Working fine with single-secure mode authentication. It has been tested on ex-3200 with the following releases.

1. 11.3 r6s1

2. 12.3 r2.5

and found to be working fine. Also this is correct we need to ip,interface,vlan and MAC bindings for static ip's to work in such a configuration.

The uplink port is trusted for dhcp traffic as DHCP server is beyond the access switch,

Thanks again Abdul.

Regards'

Tayyab