Ethernet Switching
Highlighted
Ethernet Switching

ip source guard without dhcp snooping?

‎11-10-2019 07:56 PM

Hello,

i have 20x Juniper EX4200-48P and i have about ~400 devices connected to them, i want to use ip source guard to prevent ip spoofing in my network because most of my users is sending attacks to outside of my network.

i know ip source guard needs dhcp snooping but for some reasons i can not use dhcp servers in my network because i assigned ips to my users manually.

so:

1. if i want to use ip source guard i should use dhcp server and all of my users should get their ips from DHCP?

2. is there anyway use ip source guard without DHCP snooping and others table for check ips,arp,mac, ... ?

3. do you have any other suggestion for prevent ip spoofing?

in some of my switches i am using firewall access lists and apply them to the port switch which sending attacks towards internet and in this case i can save myself from ip spoofing but managing ip access lists for 400 servers is really hard. so i am looking for a better way.

 

Thank you.

2 REPLIES 2
Highlighted
Ethernet Switching

Re: ip source guard without dhcp snooping?

‎11-10-2019 10:57 PM

You are right that ip source guard required dhcp snooping to function properly. You can do manual ip source guard entries for static addresses but you need to define both interface, IP address and mac address for each entry - not that flexible and I would personally prefer a firewall filter instead.

 

Secondly I don't think the static ip source guard entries are supported on EX4200 (I don't have one available for testing).

 

I think you are down to firewall filter per port if you don't want to convert your users to dhcp assigned addresses together with dhcp snooping and ip source guard.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Ethernet Switching

Re: ip source guard without dhcp snooping?

‎11-10-2019 11:10 PM

Hello,

Yes you are right i am using firewall filer per port instead dhcp , 

for confirmation this is one of my firewall rules per port :

family ethernet-switching {
filter port5 {
term layer2 {
from {
ether-type arp;
}
then accept;
}
term port5 {
from {
source-address {
192.168.1.0/29;
}
}
then accept;
}
term default-term {
then discard;
}
}

 

this only allow source ip in 192.168.1.0/29 and other source ips (even multicast 224.0.0.0) or any other source ips will drop at port level, am i right?

and this rule only permit arp, is it correct?

THank you.

Feedback