Port Security

TECH ACADEMY – DAY SEVEN – JOSE QUIROS

 BPDU protection
SPANNING
TREE PORT
SECURITY
Loop Protection
FEATURES
Root Protection
Non-Juniper
BPDU Protection

Prevents rogue switches from

connecting to the network and causing
undesired layer 2 topology changes
and possible outages.

If a BPDU is received on a
protected interface, the
interface is disabled and
transitions to the blocking state.

Non-Juniper
Loop Protection

Provides additional protection against Layer 2 loops by

preventing non-designated ports from becoming
designated ports.

Enable loop protection on all non-designated ports.

Non-Juniper
  Enable Root Protection to avoid
unwanted STP topology changes and
root bridge placement.
 If a superior BPDU is received on a
Root Protection protected interface, the interface is
disabled and transitions to the blocking
state.

 Prevent designated ports on root bridge

from becoming root ports.

Non-Juniper
PORT SECURITY
FEATURES

Non-Juniper
Port Security features

Once a physical connection is

passed to an end-user, that
Default settings include all user can, if proactive measures
interfaces on a Juniper switch are not taken, connect a rogue
to be enabled for layer 2 switch or wireless device to
operations. the network allowing access
for unauthorized devices to
the network and its resources.

Non-Juniper
 MAC Limiting

Persistent MAC learning

Juniper Port
Security DHCP Snooping
features Dynamic ARP Inspection (DAI)

IP Source Guard

Non-Juniper
 Limits the number of MAC
addresses learned on a port.

Prevents MAC address spoofing by

MAC Limiting explicitly configure the allowed
MAC addresses on a port.

Monitor MAC address movement

between ports in a same VLAN.

Non-Juniper
 To achieve goals, MAC Limiting is divided in tree
possible configurations based on needs:
 MAC address limit
MAC Limiting
 Allowed MAC address
 MAC Move limit

Non-Juniper
  Combats flooding by limiting the
MAC address number of MAC address learned
through a specific port.
limit

Non-Juniper
Allowed MAC  Combats spoofing by statically binding
specific MAC addresses to a particular
addresses port.

Non-Juniper
MAC Move Limit

Use this option to

limit the number of Helps prevent MAC
times a MAC spoofing and layer
address can move 2 loops.
to new interface.

Non-Juniper
MAC Limiting actions

Non-Juniper
  Limit traffic loss for trusted hosts by retaining
Persistent MAC their MAC addresses during reboots.

learning  Protects against security attacks when used in

conjunction with MAC limiting.

Non-Juniper
 Interface must be an access
port.

Persistent Persistent MAC learning does not

MAC learning work on interfaces using 802.1X
authentication.
considerations
Interface must be allowed to
learn MAC addresses.

Non-Juniper
DYNAMIC HOST
CONFIGURATION
PROTOCOL

Non-Juniper
DHCP

Non-Juniper
 Allocate temporary or
DHCP permanent IP addresses to
clients.
provides two
primary Store, manage, and provide
functions: client configuration
parameters.

Non-Juniper
DHCP Client, DHCP Local Server, and
Address-Assignment Pool Interaction

Non-Juniper
DHCP Local
Server and  Client address and configuration information reside in
centralized address-assignment pools, that are managed
Address- independently from the DHCP local server

Assignment
Pools

Non-Juniper
DHCP Client

Non-Juniper
DHCP Relay

Non-Juniper
 Discover
DORA
process Offer
packet
exchange Request
overview
Acknowledge

Non-Juniper
DHCPDISCOVER

Non-Juniper
DHCPOFFER

Non-Juniper
DHCPREQUEST

Non-Juniper
DHCPACK

Non-Juniper
DHCP
VULNERABILITIES

Non-Juniper
  DHCP requests are flooded throughout the network,
DHCP therefore requests can be seen by all devices on the
same broadcast domain.
Vulnerabilities  Any listening device can respond to the DHCP requests.
Attackers can start a DoS attack.

Non-Juniper
 Combats DHCP vulnerabilities
by:
• Building and maintaining a database of
valid DHCP bindings.
• Inspecting DHCP packets received on
DHCP untrusted ports.
• By default access ports are untrusted
Snooping and trunk ports are trusted.

DHCP snooping includes

support for DHCP option 82.
• Used to identify the switch and port to
which the client is attached.

Non-Juniper
 ARP is used to learn a device’s MAC address
on a LAN via the IP address.

Networking devices on a LAN build and

maintain an ARP table, which includes MAC-
to-IP address mapping.
ARP Review
The arp table is consulted when forwarding
packets on the LAN.

When an ARP entry for a specific MAC

address does not exist in the ARP table, a
broadcast packet is forwarded.

Non-Juniper
ARP Spoofing

 This is a main-in-the-middle
attack that impersonates the
MAC address of another network
device such as a gateway or
server.
 Traffic is diverted from the
proper destination and received
by the impersonating device.

Non-Juniper
 Prevents ARP spoofing attacks by intercepting arp
packets on untrusted ports and validating them
against the DHCP snooping database. Dynamic Arp
 Checks if the source MAC address of the ARP packet
matches a valid entry in the DHCP snooping database.
Inspection
 If no MAC-IP entry matches, packet is dropped. (DAI)
 If IP address in the packet is invalid, packet is dropped.

Non-Juniper
IP address spoofing

 Attackers can change their IP

and MAC addresses to hide their
device’s identity when launching
attacks.
 Spoofed attacks can be on the
local network or remote
networks.

Non-Juniper
IP Source Guard

 Use IP Source Guard to prevent IP spoofing attacks

 Inspects IP packets on untrusted ports and validating them against the DHCP
snooping database
 Checks if the source MAC address of the IP packet matches a valid entry in the
DHCP snooping database.
 If no valid entry exists, packet is dropped.

Non-Juniper