Switching

Hi there...

I got asked by a client last night an interesting question.  They run a primarily Windows based LAN their corporate environment.  Only a handful of devices are statically assigned and the rest are assigned via DHCP.  They do not have the expertise to implement domain policies in the Windows environment.

So I'm looking for a way to limit connectivity on most ports to only those devices that were assigned an IP address via DHCP.  I've looked at DHCP snooping but not confident that it will meet this requirement (although a good option to help secure the network anyways).  They have had employees in the past who have given themselves a static IP address and they do not wish for them to have connectivity in such a situation.

Also, and perhaps related, they would like to implement the equivalent to Cisco's port security.  So if someone plugs in a different device on an existing port then the port would become disabled until an admin reviews.

Thanks,

Paul

Hi,

I don't know of a way to accomplish this outside of using the UAC (see link below).  This is policy driven and can prevent someone from accessing the port, vlan or network with/without an IP from a DHCP server.  With regards to port security, similar features are available.  See the EX Day One Guide.  I hope this helps.

EX Day One Guide: http://forums.juniper.net/jnet/attachments/jnet/Day1Books/11/9/ConfiguringEX_2Ed.pdf

UAC Post: http://forums.juniper.net/t5/Identity-and-Policy-Control/UAC-DHCP-Server/td-p/123499

Thanks - I'm going to lab up a few things and test a few options.  UAC isn't an option for them due to budget.

Try persistent mac with mac limiting.

edit ethernet-switching-options secure-access-port

set interface all persistent-learning

set interface all mac-limit 1 action drop

you have many options- you can shutdown the port and then manually enable it after helpdesk calls  or set a timeout after which the interface will automatically be enable.

dhcp snooping will help to prevent rogue dhcp servers from giving out IP addreses

(or 2 what ever number you like.}

Than may work for you.

Thank you - that's more what I"m looking for.  Many thanks!

Hi,

I suggest you to configure IP Source Guard. This feature, is based on DHCP Snooping (so you have to enable it before....) With IPSG and for each packet (on untrusted port), the swicth will compare the source MAC and IP addresses with DHCP Snooping entries. If the entry exist the switch forward the frame, if not it drop it. If you have some server or management station with static IP, you can add static entry to DHCP Snooping database.

Port Security is generally used to play with MAC address (limit the number on ports, define which address autorised on ports, etc..). I think IPSG is what you search.

Here an exemple :

ethernet-switching-options {
    secure-access-port {
        interface ge-0/0/0.0 {

            /* Your uplink or your DHCP Server. It make the port trusted */
            dhcp-trusted;
        }
        interface ge-0/0/1.0 {
            /* Add a static entry to DHCP Snooping DB (Server, MGMT, ....) */
            static-ip 192.168.0.X vlan YOURVLAN mac aa:bb:cc:dd:ee:ff;
        }

        .......
        vlan YOURVLAN {

            /* Enable DHCP Snooping for this VLAN */
            examine-dhcp;

            /* Enable IPSG for this VLAN */
            ip-source-guard;
        }

}

Some docs :

http://www.juniper.net/techpubs/en_US/junos9.3/topics/concept/port-security-ip-source-guard.html

http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-security-ip-source-guard-cli.html

https://www.juniper.net/techpubs/en_US/junos12.1/topics/example/port-security-ip-source-guard-plus-other-switch-features.html

I Hope this can help you.

To complete my previous post, and if you decide to use these features (DHCP Snooping and IPSG), I suggest you to enable persisent storage of DHCP Snooping DB. For example, in case of crash or power default, and when the switch get back, all PC will have to renew their DHCP lease befotre forwarding frames...

ethernet-switching-options {
        dhcp-snooping-file {

            /* Destination of databse */
            location /var/log/dhcp-snooping.db;

            /* Interval between backup */

            write-interval 300;
        }
    }

}

Thanks very much - I'm labbing something similar currently and it seems to be coming together well!

To add a bit info on this topic, unfortunately DHCP, ARP snooping, IPSG etc don't prevent the switch from spoiling its DHCP snooping database by spoofing MACs. In my post http://forums.juniper.net/t5/Ethernet-Switching/DHCP-snooping-database-alteration-attack/td-p/214957 nobody never gave me any suggestion on that. 

So anybody in the vlan can learn all the MACs in his Vlan, take a laptop, change it's interface MAC successively, plug in and all the hosts with these MACs won't communicate until autorecovery or manual clean. Please, correct me if I'm wrong!  

You are correct to a certain degree and you have just made the case for implementing these security measures. Anyone in your organization that is capable of doing that and actually does it, would in my opinion be violating the security policies of the company and would warrant further investigation and possibly prosecution. That would not be part of his/her/other job description I would guess and would mean they were deliberately trying to circumvent the companies security policies. The switch can so much, but the rest is up to you. Just an FYI, in lots of cases we do inform contributors that a person can change MAC address and IP address if allowed to do so by the company(If they have admin rights to their machines)