Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Expand all | Collapse all

How to prevent users from changing the IP of the server connected to EX4200?

  • 1.  How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-21-2021 14:40
    I want to know how i can assign 1 ip (or multiple ip) to a specific mac address on my juniper switch.

    So that if user changes the IP from within the range, then the switch would refuse it.

    Example 1.1.1.1 is the alloted ip, currently if the client change it to 1.1.1.2, then it would accept and work, i do not want to allow it, any idea how to?

    I tried IP source guard, but whenever i activate that my whole switch goes down. I do not want to create subnets, i want to give 1 ip to 1 dedicated server while using 1 single gateway.

    Any help would be appreciated, thank you.



     Reply
    Quote
    PS: My network (internet wire) is connected to port 47 which is within my vlan.

    ------------------------------
    HARSH JAIN
    ------------------------------


  • 2.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-24-2021 11:51
    On the ethernet port facing the device you could apply this filter to the interface input.

    firewall {

        family ethernet-switching {

            filter name {

                term allow {

                    from {

                        source-mac-address {

                            88:05:00:29:3c:de/48;

                        }

                        source-address {

                            1.1.1.1/32;

                        }

                    }

                    then accept;

                }                           

                term block {

                    then discard;

                }

            }

        }

    }

    What I'm not sure about is that the term will evaluate as an AND condition or if it will be an OR condition letting all the mac address associations through.

    But in your case maybe the ip address alone will accomplish what you want.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-27-2021 08:45
    Sorry, but this does not work.

    set firewall family ethernet-switching filter usa10 term allow from source-mac-address MY:MA:AC:AD:DR:ES/48
    set firewall family ethernet-switching filter usa10 term allow from source-address xxx.xxx.xxx.xxx/32
    set firewall family ethernet-switching filter usa10 term allow then accept
    set firewall family ethernet-switching filter usa10 term block then discard
     

    I ran it, but i can still set any other ip in the range and it would work.

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 4.  RE: How to prevent users from changing the IP of the server connected to EX4200?

     
    Posted 07-27-2021 13:52
    Did you apply the filter (as inbound) to your interface?


  • 5.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-27-2021 14:07
    Initially i didnt, but after doing it, it would prevent other ips from working yes, but after 2-3mins it would stop the ip itself from workin too.

    I finally started stripping out the code and came down to this.


    set firewall family ethernet-switching filter usa10-p16 term allow then accept
    set firewall family ethernet-switching filter usa10-p16 term allow from source-address IPADDRESS
    set interfaces ge-0/0/16 unit 0 family ethernet-switching filter input usa10-p16

    And then it finally worked.

    However now my DHCP is not working, i thought it would be because of the filter, so i added 67 & 68 too as destination-port
    but that didnt work too.

    Can you guide me on how to resetting dhcp server?

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 6.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-27-2021 16:28
    Update, this didnt work either.

    It worked for a few mins, then it stopped working. Quite frustated.

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 7.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-27-2021 13:52
    Have you considered using secure-access-port under the ethernet-switching-options stanza. This is for non ELS switching. I'm not certain where that is configured for ELS switches. With secure-access-port one can define the IP address and MAC address that belongs on a specific port. It may not achieve what you want, but may be worth a look.

    ------------------------------
    Stuart
    ------------------------------



  • 8.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-27-2021 14:07
    That's way too hectic. i tried for 5 days, and ended up quiting it.

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 9.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-28-2021 11:58
    I had to go down this route again. It works great but the only issue is that it's 1 ip per Mac. You cannot add more than 1 IP per Mac. Which is kinda ridiculous.
    It essentially means you cannot access server with more than 1 IP.

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 10.  RE: How to prevent users from changing the IP of the server connected to EX4200?

     
    Posted 07-28-2021 12:55
    Yes you can, you just create another term with the same MAC and new IP. The larger picture however is that switch ACL's aren't the best way to enforce server-side policies--you have to account for every traffic exception to your rule -- including DHCP, Multicast, and as you discovered, traffic will stop working after five minutes unless you allow ether-type arp in your filter.


  • 11.  RE: How to prevent users from changing the IP of the server connected to EX4200?

     
    Posted 07-28-2021 14:09
    Hi, can you maybe  share your use case in more detail on exactly what is is you need to achieve and what you are trying to do is even scale able or feasible?


  • 12.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-28-2021 16:24
    Ok, my use case is basically.

    I have 20 servers, 10 are my own and 10 are of my client.

    10 of my own, i do not want any restrictions.

    10 of my client, i want to lock 1 single ip to it. However at times when they do demand more ips, i should be able to give it to them. And locking n number of ips to their port.

    My current solution isnt the most elegant one, but works somewhat.


    set ethernet-switching-options secure-access-port interface ge-0/0/22 static-ip IPADDRESS mac MA:CA:AD:DD:RE:SS vlan default
    set ethernet-switching-options secure-access-port interface ge-0/0/22 static-ip IPADDRESS mac MA:CA:AD:DD:RE:SS vlan default

    This is for port 22, rest of the ports which are of my server, i have put in dhcp-trusted and enabled ip source guard, arp & snooping table. That way dhcp-trusted ports work without restriciton, and only specificed ips and mac work on the locked one.

    BUT in this solution the problem is i can only apply 1 ip per mac, not more than that. which is kind of a problem when client will request for more ips.

    ------------------------------
    HARSH JAIN
    ------------------------------



  • 13.  RE: How to prevent users from changing the IP of the server connected to EX4200?

    Posted 07-28-2021 16:24
    > unless you allow ether-type arp in your filter.
    Can you explain me that? 


    set firewall family ethernet-switching filter usa10-p17 term allow then accept
    set firewall family ethernet-switching filter usa10-p17 term allow from source-address IPADDRESS
    set interfaces ge-0/0/17 unit 0 family ethernet-switching filter input usa10-p17

    I came up with this command. 
    It worked for sometime, like 30-45mins and then went down, i am not sure.


    ------------------------------
    HARSH JAIN
    ------------------------------