Switching

  • 1.  IP source guard static MAC-IP binding

    Posted 06-11-2013 07:16

    Hello,

     

    I'm trying to find a way to setup basic port security feature mostly available on
    switches from different vendors.

     

    I need to restrict server connected to EX3200 switch port to use only certain IP address
    range. I assume it would be reasonable to create static binding and apply to the
    interface like below:

     

    [edit ethernet-switching-options secure-access-port]
    interface ge-0/0/0.0 {
        static-ip 10.10.10.11 vlan 10 mac 00:25:90:77:00:4a;
        static-ip 10.10.10.12 vlan 10 mac 00:25:90:77:00:4a;
        static-ip 10.10.10.13 vlan 10 mac 00:25:90:77:00:4a;
    }
    

     

    The configuration above is incorrect - there is an error appears once 'commit check' 

    executed:

     

        Duplicate VLAN/MAC address : dedicated/00:25:90:77:00:4a
    error: configuration check-out failed
    

     

    I have no DHCP server in this network and prefer to maintain dhcp-snooping database 

    required for ip source-guard feature to work, which should have static MAC-IP address
    bindings only.

     

    However it looks like this is impossible to bind more than one IP address to the same
    MAC address with Junos for EX.


    Please suggest how this configuration could be implemented? How could i use ip source
    guard (if this is possible at all) for more than one IP bound to the same MAC address?

     

    Regards,

    Dima



  • 2.  RE: IP source guard static MAC-IP binding

    Posted 06-19-2013 23:04
    Hi simochkin. I think this behaviour is logical. I only think to try: - Firewall filter on port ? http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/requirements/firewall-filter-ex-series-match-conditions.html - Create three statis ARP entrys en EX. (In some switch you can configure this). -> 10.10.10.11 mac 00:25:90:77:00:4a; -> 10.10.10.12 mac 00:25:90:77:00:4a; -> 10.10.10.13 mac 00:25:90:77:00:4a; Bye Thanks


  • 3.  RE: IP source guard static MAC-IP binding

    Posted 06-29-2013 02:41

    Try this.

    [edit ethernet-switching-options secure-access-port]
    interface ge-0/0/0.0 {
            allowed-mac 00:25:90:77:00:4a;

     

    Then allow the server to communicate with whichever IP address it is using.



  • 4.  RE: IP source guard static MAC-IP binding

    Posted 06-29-2013 04:14

    Thanks 

     

    >> Then allow the server to communicate with whichever IP address it is using.

     

    you mean firewall input filter apllied to the port which permit the number of source-address IPs?

     

    Regards,

    Dima

     

     

     



  • 5.  RE: IP source guard static MAC-IP binding

    Posted 06-29-2013 12:43

    No I was not thinking of adding a firewall filter. Why would you need a firewall filter? You can also limit the number of MAC address on that interface to 1. That should do it. If you want to use a firewall filter instead, that would only accept traffic sourced from those IP Addresses, then you can you that. You have the flexibility. If you were to be able to bind multiple IP Addresses to a single MAC address in teh database, that would  kind of defeat the purpose. But I can understand the need. Maybe there is another way or probably put in a feature request to Juniper. By the how would the server get IP adresses other than the ones you have assigned if there are no DHCP servers in that Network Environment?



  • 6.  RE: IP source guard static MAC-IP binding

    Posted 09-16-2013 12:03

    I was doing some research and remembered this specifc question. I believe this is what you were asking for. I have not tested this feature yet, but here it is. I am also changing the Subject so the topic can be searched easily, the next time someone has this question/requirement.

     

    http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/release-notes/13.2/junos-release-notes-13.2x50.pdf

    Static IP—You can add static (fixed) IP addresses and bind them to fixed MAC
    addresses in the DHCP snooping database. To configure a static IP/MAC binding in
    the DHCP snooping database, you must first create a group of access interfaces atthe [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level. Toconfigure a specific interface within the group to have a static IP address that isbound to a fixed MAC address, issue the group group-name interfaceinterface-name static-ip ip-address mac-address statement at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level.

     

    Later, if I get some time, I will test it and add an update with the exact configuration and the test results. If you complete it before i do, then you can add a post if you fell like it. Please mark as accecpted if this is what you were looking for and it worked. 🙂



  • 7.  RE: IP source guard static MAC-IP binding

    Posted 09-16-2013 12:03
    check the new post I just made. Let me know if it works. I have had the time to test it.