JunosSecurity

Port Enterprise Switching

LY
N
O
SE
U
AL
N
R
TE
IN
Port Security

LY
N
O
SE
U
AL

Factory Default Settings

N

By default, all installed interfaces in an EX Series switch are configured for Layer 2 operations. These
Layer 2 interfaces do not have a defined limit on the number of MAC addresses that can be learned.
R

In some environments, this default implementation can be problematic and prone to security risks.
Once a physical connection is passed to an end-user, that user can, if proactive measures are not
TE

taken, connect a rogue switch or wireless device to the network allowing access for unauthorized
devices to the network and its resources.
We discuss several port security features throughout this material that combat the potential security
risks that are inherent with the default configuration settings. Note that not all features are
IN

supported on all EX Series devices currently. For details for your specific device, refer to the features
overview found in the technical publications (http://www.juniper.net/techpubs/en_US/junos10.1/
topics/concept/ex-series-software-features-overview.html).

Chapter 5–2 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Think About It
N

This slide is designed to get you thinking about the potential issues that can arise from the scenarios
shown on the slide.
R

Among other things, you could see Layer 2 topology changes that affect network performance or
cause complete outages, unauthorized access to your network and its resources, or a network
TE

outage caused by resource overload through a DoS attack. In reality many potential issues can arise
if you do not protect your network and its resources. The port security features covered in this section
and throughout the material can help mitigate some of these potential issues.
IN

www.juniper.net Chapter 5–3

Port Security

LY
N
O
SE
U
AL

MAC Limiting
N

MAC limiting protects Ethernet switches, as well as other network resources, against attacks that use
MAC addresses. Some examples of attacks that use MAC addresses to disrupt network operations
R

include MAC flooding and MAC spoofing. Both MAC flooding and MAC spoofing can be quite harmful
because they facilitate a denial-of-service (DoS) attack, which renders users, systems, or entire
TE

networks useless. MAC limiting can be implemented using two different methods.
The first method allows you to specify the maximum number of MAC addresses that can be learned
on a single Layer 2 access port. Once the switch reaches the MAC limit, all traffic sourced from new
MAC addresses is subject to being dropped based on the configured action.
IN

The second method allows you to define allowed MAC addresses for a specific access port. Any MAC
address that is not listed will not be learned or permitted network access.

Chapter 5–4 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Allowed MAC Address

N

Two MAC limiting methods exist; the allowed MAC address option and the MAC limit option. The slide
illustrates and describes the allowed MAC address option. With the allowed MAC address option, a
R

switch permits or denies hosts network access through their attached network ports based on their
MAC addresses. This requires knowledge of the node’s MAC address and is not ideal in
TE

environments where end-users move from switch port to switch port.

IN

www.juniper.net Chapter 5–5

Port Security

LY
N
O
SE
U
AL

MAC Address Limit

N

MAC limiting protects the MAC forwarding table against flooding. You enable this feature on
individual interfaces. The MAC limit is user defined and varies depending on the needs within each
R

environment. In environments that use IP telephony, the limit specified should be two when an IP
phone and a user’s PC are attached to the same switch port. In data-only environments, you can
TE

typically specify a limit of one to account for the user’s PC connection.

On the slide we see that two devices; a PC and an IP phone, require access to the network through
ge-0/0/6.0. To accommodate this access requirement, ge-0/0/6.0 is configured with a MAC limit of
two. All subsequent MACs attempting to access the network through this port are subject to the
IN

configured action. We cover the configurable actions for MAC limiting later in this section.

Chapter 5–6 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

MAC Move Limiting

N

MAC move limiting is used to limit the number of times a MAC address can move to a new interface.
This feature is used to prevent MAC spoofing attacks as well as Layer 2 loops. You enable MAC move
R

limiting on a per-VLAN basis rather than on a per-interface basis like the allowed MAC and MAC limit
options. Once enabled, the switch tracks the number of times a MAC address moves to a new
TE

interface. If the number of moves within one second exceeds the defined limit, the switch performs
the configured action. We cover the configurable actions and show a configuration example later in
this section.
IN

www.juniper.net Chapter 5–7

Port Security

LY
N
O
SE
U
AL

MAC Limiting Actions

N

When a MAC limiting violation occurs, the switch performs one of the following actions:
R

• none: Does nothing. If you set a MAC limit to apply to all interfaces or a MAC move limit
to apply to all VLANs on the EX Series switch, you can override that setting for a
particular interface or VLAN by specifying an action of none.
TE

• drop: Drops the packet and generates an alarm, an SNMP trap, or a system log entry.
This is the default action. This is the default action for a MAC limiting violation (MAC
limit or MAC move limit).
IN

• log: Does not drop the packet but generates a system log entry.
• shutdown: Disables the port, blocks data traffic, and generates a system log entry.
Continued on next page.

Chapter 5–8 www.juniper.net

 Port Security
MAC Limiting Actions (contd.)
Note that you can configure a switch with the port-error-disable statement to allow disabled
interfaces to recover automatically upon expiration of the specified disable timeout. An example
configuration using the port-error-disable statement with a specified disable timeout follows:
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
port-error-disable {
disable-timeout 3600;
}
This autorecovery feature is disabled by default and has a valid timeout range of 10 to 3600
seconds. Enabling this autorecovery option does not affect pre-existing error conditions but rather
only impacts error conditions detected after the port-error-disable option has been enabled

LY
and committed.
If you have not configured the switch for autorecovery or you need to clear a port error disabled
condition detected before the autorecovery feature was enabled, you can bring a disabled interface
back into service by issuing the clear ethernet-switching port-error interface

N
command. We provide an example of clearing MAC limiting violations later in this section.

O
SE
U
AL
N
R
TE
IN

www.juniper.net Chapter 5–9

Port Security

LY
N
O
SE
U
AL

Configuring MAC Limiting

N

The slide illustrates a sample configuration for the various MAC limiting options previously covered.
In this example, we see all three enforcement methods, as well as the common actions invoked
R

when a limit violation occurs.

As mentioned previously, in addition to the actions of log, drop, and shutdown, a fourth action of
TE

none exists. The action none allows you to exclude individual interfaces or VLANs from a MAC
limiting configuration when the interface all or vlan all statements are used with the MAC
limit or MAC move limit options respectively.
Continued on next page.
IN

Chapter 5–10 www.juniper.net

 Port Security
Configuring MAC Limiting (contd.)
The following example illustrates the use of the none action in this scenario:
{master:0}[edit ethernet-switching-options]
user@switch# show
secure-access-port {
interface ge-0/0/15.0 {
mac-limit 1 action none;
}
interface all {
mac-limit 1 action shutdown;
}
vlan all {

LY
mac-move-limit 1 action shutdown;
}
vlan default {
mac-move-limit 1 action none;
}

N
}
When the interface all or vlan all statements are used in conjunction with individual

O
interface or VLAN statements, the Junos OS considers the individual interface or VLAN statements to
be more specific, and they always take precedence.

SE
U
AL
N
R
TE
IN

www.juniper.net Chapter 5–11

Port Security

LY
N
O
SE
U
AL

Monitoring MAC Limiting

N

This slide illustrates some sample outputs used to determine the affects of the MAC limiting
configuration options.
R
TE
IN

Chapter 5–12 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Clearing MAC Limiting Violations

N

If you have not configured the switch for autorecovery from port error disabled conditions, you can
bring up a disabled interfaces manually by issuing the clear ethernet-switching
R

port-error interface command as shown on the slide.

TE
IN

www.juniper.net Chapter 5–13

Port Security

LY
N
O
SE
U
AL

DHCP Review
N

The Dynamic Host Configuration Protocol (DHCP) is used to dynamically configure hosts on a
network. An administrator defines network parameters on a DHCP server. Based on individual
R

requests from the DHCP clients, the DHCP server dynamically assigns network parameters that
facilitate network access for the individual hosts, or DHCP clients. The slide illustrates the basic
TE

communication process between DHCP clients and a DHCP server, including the various messages
types sent between clients and a DHCP server.
IN

Chapter 5–14 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

DHCP Requests
N

DHCP, like many other protocols, has inherent vulnerabilities, which can be exploited either
intentionally or unintentionally. When a client sends a DHCP request, it is sent as a broadcast packet
R

and is seen by all other devices participating on the subnet.

TE

Who’s Calling?
Because all DHCP requests can be viewed by any other device participating on the same subnet, it
makes sense that any device on that subnet can also respond to that DHCP request. This inherent
DHCP behavior facilitates opportunities for attackers to disrupt normal network operations and
IN

effectively launch a DoS attack. One such attack might include the use of a rogue DHCP server that
responds to legitimate requests from authorized clients and provides bogus network parameters to
those clients.

www.juniper.net Chapter 5–15

Port Security

LY
N
O
SE
U
AL

DHCP Snooping
N

You can use DHCP snooping to combat some of the inherent DHCP vulnerabilities and protect your
network and its resources. DHCP snooping builds and maintains a database of valid IP addresses
R

assigned to downstream network devices by a trusted DHCP server. DHCP snooping reads the lease
information, which is sent from the DHCP server to the individual DHCP clients. From this information
TE

it creates the DHCP snooping database. This database is a mapping between IP address, MAC
address, and the associated VLAN. When a DHCP client releases an IP address (by sending a
DHCPRELEASE message), the associated mapping entry is deleted from the database. The switch
also tracks the lease time, as assigned by the DHCP server, and purges all expired entries.
IN

DHCP snooping protects the switch, as well as other network components, by inspecting all DHCP
packets on untrusted ports. By default, the Junos OS treats access ports as untrusted and trunk
ports as trusted. If a server is connected to a local access port, you must configure that port as a
trusted port to accommodate the DHCP server traffic it receives. Note that DHCP snooping occurs
only on interfaces for which an entry exists. If a switch port is connected to a device with a statically
defined IP address, no inspection occurs.

Chapter 5–16 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

DHCP Snooping Process

N

This slide illustrates the basic steps involved with the DHCP snooping process. Note that in previous
versions of the Junos OS, EX Series switches snooped DHCPDISCOVER and DHCPOFFER packets.
R

This is no longer true in current software versions.

TE
IN

www.juniper.net Chapter 5–17

Port Security

LY
N
O
SE
U
AL

Configuring DHCP Snooping

N

This slide provides a basic DHCP snooping configuration example. This example shows the required
configuration to enlist an access interface (ge-0/0/8.0), which connects to a DHCP server, as a
R

trusted interface, as well as how to enable DHCP snooping on an individual VLAN.

When DHCP snooping is enabled, the DHCP lease information learned by the switch is used to create
TE

the DHCP snooping database, a mapping of IP address to VLAN–MAC-address pairs. For each VLAN–
MAC-address pair, the database stores the corresponding IP address.
By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network
devices, or hosts) must reacquire bindings. You can configure the DHCP bindings to persist through a
IN

reboot by setting the dhcp-snooping-file statement. This configuration option stores the
database file either locally or remotely, depending on user preference, and is configured under the
[edit ethernet-switching-options secure-access-port] hierarchy level.
Continued on next page.

Chapter 5–18 www.juniper.net

 Port Security
Configuring DHCP Snooping (contd.)
The following sample configuration illustrates the configurable options:
{master:0}[edit ethernet-switching-options secure-access-port]
user@switch# set dhcp-snooping-file ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
location Location of DHCP snooping entries file
timeout Timeout for remote read and write operations (seconds)
write-interval Time interval for writing DHCP snooping entries (seconds)
Junos OS requires you to set the location to where the file entries will be logged as well as the
write-interval. The write-interval statement determines the interval for which the

LY
snooping entries are written to the local or remote file. The timeout option determines the timeout
interval for remote read and write operations when the DHCP snooping file is written to a remote
server.
{master:0}[edit ethernet-switching-options]

N
user@Switch-1# show
secure-access-port {

O
interface ge-0/0/8.0 {
dhcp-trusted;
}
vlan default {

}
examine-dhcp;

dhcp-snooping-file {
location /var/tmp/snoop-dawg-n-co;
write-interval 60;
SE
U
}
}
To view the DHCP snooping file contents, use the operational file show command along with the
AL

path and file name. You can also view the transfer and read and write statistics for the DHCP
snooping file using the operational show dhcp snooping statistics command. The
following output illustrates a sample output:
{master:0}[edit ethernet-switching-options]
N

user@Switch-1# run file show /var/tmp/snoop-dawg-n-co

Version : 1
R

00:26:88:02:74:86 172.28.1.2 Tue May 11 19:10:20 2010 ge-0/0/6.0

default 32a945b6 4054d4d7 2343702b fcdd52ee
00:26:88:02:74:87 172.28.1.3 Tue May 11 19:10:20 2010 ge-0/0/7.0
TE

default f7dea107 cee9565a 92030701 8e348a02

{master:0}[edit ethernet-switching-options]
user@Switch-1# run show dhcp snooping statistics
IN

DHCP Snoop Persistence statistics

Successful Remote Transfers: 0 Failed Remote Transfers: 0
Successful Record Reads : 0 Failed Record Reads : 0
Successful Record Writes : 2 Failed Record Writes : 0

www.juniper.net Chapter 5–19

Port Security

LY
N
O
SE
U
AL

Monitoring DHCP Snooping

N

When DHCP snooping is enabled, the DHCP lease information learned by the switch is used to create
the DHCP snooping database, a mapping of IP address to VLAN–MAC-address pairs. For each VLAN–
R

MAC-address pair, the database stores the corresponding IP address. You use the show dhcp
snooping binding command to view the registered details within the DHCP snooping database.
TE
IN

Chapter 5–20 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Clearing the DHCP Snooping Database

N

Use the clear dhcp snooping binding commands to clear entries within the DHCP snooping
database. This command offers various options that allow the user to clear all entries, all entries for
R

a particular VLAN, or individual entries within the DHCP snooping database. You can use the show
dhcp snooping binding command before and after clearing database entries to monitor the
TE

results. The following output illustrates this point and clears an individual MAC address:
{master:0}
user@Switch-1> show dhcp snooping binding
DHCP Snooping Information:
IN

MAC address IP address Lease (seconds) Type VLAN Interface

00:26:88:02:74:86 172.28.1.2 85243 dynamic default ge-0/0/6.0
00:26:88:02:74:87 172.28.1.3 85243 dynamic default ge-0/0/7.0

{master:0}
user@Switch-1> clear dhcp snooping binding vlan default mac 00:26:88:02:74:87

{master:0}
user@Switch-1> show dhcp snooping binding
DHCP Snooping Information:
MAC address IP address Lease (seconds) Type VLAN Interface
00:26:88:02:74:86 172.28.1.2 85212 dynamic default ge-0/0/6.0

www.juniper.net Chapter 5–21

Port Security

LY
N
O
SE
U
AL

Adding Static Entries

N

As shown on the slide, you can add static entries to the DHCP snooping database. This might be
helpful in situations where a network device does not support ARP or must have ARP disabled. To
R

remove static DHCP snooping database entries, you must manually delete the static definition.
TE
IN

Chapter 5–22 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

ARP Review
N

Sending IP packets on a multiaccess network requires mapping an IP address to an Ethernet MAC

address. Ethernet LANs use the Address Resolution Protocol (ARP) to map MAC addresses to IP
R

addresses.
All devices participating on an Ethernet LAN in a Layer 3 capacity maintain an ARP table with these
TE

IP address to Ethernet MAC address mappings. Each Layer 3 device participating on an Ethernet LAN
maintains its ARP table in cache and consults the stored information when forwarding packets to
other Layer 3 devices on the same LAN.
If the ARP cache does not contain an entry for the destination device, the host broadcasts an ARP
IN

request for that device's Ethernet MAC address and stores the response in the ARP table. An
example of an ARP table follows:
user@switch> show arp
MAC Address Address Name Interface Flags
00:26:88:02:74:86 172.28.1.2 172.28.1.2 ge-0/0/8.0 none
00:26:88:02:74:87 172.28.1.3 172.28.1.3 ge-0/0/8.0 none
00:26:88:02:74:89 172.28.1.4 172.28.1.4 ge-0/0/8.0 none
Total entries: 3

www.juniper.net Chapter 5–23

Port Security

LY
N
O
SE
U
AL

ARP Spoofing
N

ARP spoofing, also known as ARP poisoning, is commonly used to initiate man-in-the-middle attacks.
In these types of attacks, the attacker sends an ARP packet that spoofs the MAC address of another
R

device on the LAN such as a gateway device or server. Instead of the switch sending traffic to the
proper network device, it sends the traffic to the impersonating device with the spoofed address. The
TE

result is that traffic from the switch is diverted from the proper destination and received by the
impersonating device.
IN

Chapter 5–24 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Dynamic ARP Inspection

N

Dynamic ARP Inspection (DAI) examines ARP requests and responses on the LAN. Each ARP packet
received on an untrusted access port is validated against the DHCP snooping database. By
R

validating each ARP packet received on untrusted access ports, DAI can prevent ARP spoofing.
If the DHCP snooping database does not contain an IP address-to-MAC address entry for the
TE

information within the ARP packet, DAI drops the ARP packet, thus preventing the propagation of
invalid host address information. DAI also drops ARP packets when the IP address in the packet is
invalid. Because DAI depends on the entries found within the DHCP snooping database, you must
enable DHCP snooping. DAI inspects ARP packets received on untrusted interfaces. Access ports are
IN

untrusted by default but can be changed to trusted ports through user configuration. ARP packets
bypass DAI on trusted interfaces. Trunk ports are trusted by default.
Continued on next page.

www.juniper.net Chapter 5–25

Port Security
Dynamic ARP Inspection (contd.)
By default, DAI is disabled on EX Series switches. You enable DAI on individual VLANs and not for
each port. If an access port is connected to a host with a statically defined IP address within a VLAN
that has DHCP snooping and DAI enabled, you must configure that port as a trusted port to allow
ARP packets to pass. You can set individual ports as trusted by adding the dhcp-trusted option
on a given port, as shown in the following example:
[edit ethernet-switching-options]
user@switch# show
secure-access-port {
interface ge-0/0/8.0 {
dhcp-trusted;
}

LY
}
Junos OS broadcasts all ARP queries directed to the switch out all ports assigned to the associated
VLAN. The software subjects ARP responses of those queries to the DAI check. ARP packets are sent
to and reviewed by the RE. To prevent CPU overloading, Junos OS rate-limits ARP packets destined

N
for the RE.

O
SE
U
AL
N
R
TE
IN

Chapter 5–26 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Configuring DAI
N

This slide illustrates a basic DAI configuration. As mentioned previously, DAI is configured on a
per-VLAN basis. In the sample configuration on the slide, DAI is enabled for the default VLAN.
R

If you have devices that do not support DHCP and choose to implement DAI, you must define a static
entry in the DHCP snooping database for those devices. The following example configuration
TE

illustrates how to manually define a static DHCP snooping database entry:

{master:0}[edit]
user@Switch-1# show ethernet-switching-options
secure-access-port {
IN

interface ge-0/0/9.0 {
static-ip 172.28.1.4 vlan default mac 00:26:88:02:74:89;
}
interface ge-0/0/8.0 {
dhcp-trusted;
}
vlan default {
arp-inspection;
examine-dhcp;
}
}

www.juniper.net Chapter 5–27

Port Security

LY
N
O
SE
U
AL

Monitoring DAI
N

This slide highlights some key commands used to monitor the operation of DAI. Use the show dhcp
snooping binding command to view the recorded details within the DHCP snooping database.
R

Use the show arp inspection statistics command to view DAI statistics.
If you have included a static entry in the DHCP snooping database, that entry will show a type of
TE

static rather than dynamic. The following capture illustrates a static entry:
{master:0}
user@Switch-1> show dhcp snooping binding
DHCP Snooping Information:
IN

MAC address IP address Lease (seconds) Type VLAN Interface

00:26:88:02:74:86 172.28.1.2 86277 dynamic default ge-0/0/6.0
00:26:88:02:74:87 172.28.1.3 86277 dynamic default ge-0/0/7.0
00:26:88:02:74:89 172.28.1.4 - static default ge-0/0/9.0

Chapter 5–28 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

IP Address Spoofing
N

Users can change or spoof source IP addresses and/or source MAC addresses by flooding the switch
with packets containing invalid addresses. Combined with other techniques, such as TCP SYN flood
R

attacks, address spoofing can deny legitimate service and render a network useless.
Identifying the source of an attack that uses source IP address or source MAC address spoofing can
TE

be difficult for system administrators. As illustrated on the slide, attackers can spoof addresses on
the same subnet or on a different subnet.
IN

www.juniper.net Chapter 5–29

Port Security

LY
N
O
SE
U
AL

IP Source Guard
N

A switch, with the IP source guard feature enabled, checks the source IP and MAC addresses in a
packet entering untrusted access interfaces against the entries stored in the DHCP snooping
R

database. If IP source guard determines that the packet header contains an invalid source IP or MAC
address, the switch does not forward the packet—that is, the packet is discarded.
TE

You can enable IP source guard on one or more VLANs. IP source guard applies its checking rules to
packets sent from untrusted access interfaces on those VLANs. By default, on EX Series switches,
access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check
packets that have been sent to the switch by devices connected to either trunk interfaces or trusted
IN

access interfaces.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP
snooping database. It causes the switch to validate incoming IP packets against the entries in that
database. After the DHCP snooping database has been populated either through dynamic DHCP
snooping or through configuration of specific static IP address/MAC address bindings, the IP source
guard feature builds its database. It then checks incoming packets from access interfaces on the
VLANs on which it is enabled. If the source IP addresses and source MAC addresses match the IP
source guard binding entries, the switch forwards the packets to their specified destination
addresses. If no matches are found, the switch discards the packets.

Chapter 5–30 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Configuring IP Source Guard

N

This slide illustrates the required configuration to enable the IP source guard feature. As mentioned
previously, DAI is configured on a per-VLAN basis. In the sample configuration on the slide, DAI is
R

enabled for the default VLAN.

If you have devices that do not support DHCP and choose to implement IP source guard, you must
TE

define a static entry in the DHCP snooping database for those devices. The following example
configuration illustrates how to manually define a static DHCP snooping database entry:
{master:0}[edit ethernet-switching-options]
user@Switch-1# show
IN

secure-access-port {
interface ge-0/0/8.0 {
dhcp-trusted;
}
interface ge-0/0/9.0 {
static-ip 172.28.1.4 vlan default mac 00:26:88:02:74:89;
}
vlan default {
examine-dhcp;
ip-source-guard;
}
}
Continued on next page.

www.juniper.net Chapter 5–31

Port Security
Configuring IP Source Guard (contd.)
You can use the no-ip-source-guard and no-examine-dhcp statements to disable IP
source guard and DHCP snooping respectively for a specific VLAN after you have enabled those
features for all VLANs. A configuration example that uses these statements follows:

{master:0}[edit ethernet-switching-options]
user@switch# show
secure-access-port {
vlan all {
examine-dhcp;
ip-source-guard;
}

LY
vlan default {
no-examine-dhcp;
no-ip-source-guard;
}
}

N
You can configure IP source guard with various other features on EX Series switches to provide
increased access port security. One such feature, which provides end-user authentication services,

O
is 802.1X. The 802.1X user authentication feature is applied in one of three modes: single
supplicant, single-secure supplicant, or multiple supplicant. Single supplicant mode works with IP
source guard, but single-secure and multiple supplicant modes do not. Complete coverage of 802.1X
is outside the scope of this material.

SE
U
AL
N
R
TE
IN

Chapter 5–32 www.juniper.net

 Port Security

LY
N
O
SE
U
AL

Monitoring IP Source Guard

N

This slide highlights some key commands used to monitor the operation of IP source guard. Use the
show dhcp snooping binding command to view the recorded details within the DHCP
R

snooping database. Use the show ip-source-guard command to view IP source guard
information. Remember that the IP source guard database is created based on the contents of the
TE

DHCP snooping database. For this reason the output displayed when issuing these two commands is
nearly identical.
The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted
access interfaces on those VLANs, the VLAN 802.1Q tag IDs if any exist, and the IP addresses and
IN

MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs
and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not
enabled for IP source guard have an asterisk (*) in the IP Address and MAC Address fields.
Continued on next page.

www.juniper.net Chapter 5–33

Port Security
Monitoring IP Source Guard (contd.)
Static entries added to the DHCP snooping database show a type of static rather than dynamic.
The following capture illustrates a static entry:
user@Switch-1> show dhcp snooping binding
DHCP Snooping Information:
MAC address IP address Lease (seconds) Type VLAN Interface
00:26:88:02:74:86 172.28.1.2 86277 dynamic default ge-0/0/6.0
00:26:88:02:74:87 172.28.1.3 86277 dynamic default ge-0/0/7.0
00:26:88:02:74:89 172.28.1.4 - static default ge-0/0/9.0
No type indication exists for entries in the IP source guard database:
user@Switch-1> show ip-source-guard

LY
IP source guard information:
Interface Tag IP Address MAC Address VLAN
ge-0/0/6.0 0 172.28.1.2 00:26:88:02:74:86 default
ge-0/0/7.0 0 172.28.1.3 00:26:88:02:74:87 default
ge-0/0/9.0 0 172.28.1.4 00:26:88:02:74:89 default

N
O
SE
U
AL
N
R
TE
IN

Chapter 5–34 www.juniper.net