JuniperARP防护

1、精品感谢下载载Juniper 设备的 ARP 防护有个 DAI ( Dynamic ARP Inspection-动态ARP检测）协议，此协议的运行需要借用DHCP snooping的数据库，且只检测untrust接口的ARP包。在juniper交换机中,默认情况下access是untrust端口，trunk是trust端口。所以DAI协议默认只能检测 access端口,对trunk端口不起作用。DAI是运行在VLAN上的协议，在物理端口上，可以进行MAC学习限制（maclimit ）。此外，在三层端口模式下，可以进行ARP 绑定(例：set interfaces ge-0/0/0 unit

2、0 familyinet address 1.1.1.1/32 arp 1.1.1.3 mac 00:00:00:00:00:00），此绑定针对的是对端通信 IP的MAC。下面详细介绍下 mac limit 、DHCP snooping 及DAI的应用。1.mac limit限制端口学到的MAC地址，并且根据学到的数目对端口进行log， drop，shutdown 等动作。Ifn-l5?c*rttiemsT -switch! n-op Uns ?tcure-iccess-porz 勺*#-0/0/0 *-Allod Rftc addr-tiSi on thlj|+ epply-groupsGr

3、-oups tronto'inhErit contiguration data+ pply-group?-Except Da n't inhErit confi gurationdata fromthesegrci upsdhep芝rustedHeke thisHnterfa-cetrustedforDrtCPfcoE-TrustsdHaVe this1 nterfacetrustedfarFCdEmac-llmlT：NumbEr ortatJdrESESal lowetfonttilsintertacE|亠 _亠一一 订百cDa fl T fflike Ttil B- Inr

4、erf ac E misied for OhCP Dq-n -cThis liiTerfi亡e Trijsied fgr fCqeptr?lETenf< mag Itirninig on rhU STATIC IPs conf匚mflgixe acceiS porr security for thts vlanJllhI perE<4 53(># set ethernet-switchlng-options secure-accer-s-prt interface xe-O/D/Q all awd-mac POS5e cmi pletP 口 ns:.严.<valuE&g

5、t;Al lowed HAC 且ddre-s5 on this interf acE 緩宀尤讦阴MACJffl址-叩阴a ser of values在代齢条“许的佔怛址次空格闊开erriernei-swlichl nq-oprions ecure-acces-s-pori Inrerfice Ke-O/D/D mac-liinlT =qyriaml 匚应 no-dhep-TruTfid-nQ-fc ptrslnenT-Uiirn + ngA vlan *Ti45tEr:0ed1itfliaTEr :0 edtxP0&? e <Dfflp)ei1ons：Juni per_£

6、;w4 550i* seiNMiDt广of 旳门 ACT Ion to TJkjcTlon<Ti4er = CedHJirn 1 perEXi 550# setPos5ibl e cmplatl 口ns:dr-QpD"Dpthe p且匚feeterd1 ag itlegI-口 a mEfsaqEneneTaVen口 actionshMdawnSlrutdawn the Interface.mm百TfiP :0 Ed1T垃 rtd* M 吃 20"”乐on This Imvirf(2 站了0 If轲 exceededelhernet-swith1 ng-opt ions

7、 ?ecure-access-port interface xe-O/O/Q r«ac-1m1t 2 且匚ti on ?例:edit ethernet-switching-op tionsJuni per_EX4550# showsecure-access-port interface ge-0/0/1.0 allowed-mac 00:00:00:00:00:01 00:00:00:00:00:02 ;interface ge-0/0/2.0 mac-limit 1 action log;interface ge-0/0/3.0 mac-limit 2 action drop;in

8、terface ge-0/0/4.0 mac-limit 3 action shutdown;2. DHC P snoo pingDHCP会接受任何设备的请求，回应请求，可能会造成DoS攻击，通过DHCP snooping可以进行防护：建立DHCP SNOOPING DATABAS ，用来检查DHCP数据。任何在untrust配置下的端口会进行数据库检查。默认情况下，access是untrust端口，trunk是trust端口。sno oping 过程:交换机收到DHCP请求后，检查数据，升级数据库在转发给serverserver回复包给交换机交换机同样检查数据，升级数据库，在转发给PCuni

9、pej e completions: + alldwed-mae I- ipply-groups + ipplv-qr Dup s-e xcepr I dh匚p-trustedEX455卽 set et hernet-switching-options 2eUMe-dUtEE?-port irithface xe-O/O/OAllowed MAC addresi anGroups fron which to 1 Dofl'T Inherit, confiqur HakeInrerFaCg trS-I-ar ion uitedint&rf ace conffigurafion d

10、ata data front These groups Fpr DHCP IMaike th卞s Inierface trusted for FtoENumber of dynamic hac addresses allowed on this Inr , 二J. Do not log olat + on 呼 allowed hA£ on this, in t erf aI no-dhcp-Tru£Ted " Don't make thia Interface Trusted for PhCP | nfl-ftoe-tru EteriDon't m

11、ake t hi ? interface truTted tor FCoEpersistent-learnlng Enable persistem HX： learnlng on rhis InTerfacE> stiTic-1pstatic ip address configurationA vlanconf-tgure access port security for this VLMma£Te曹：0edlTuni pr_EX4 5 50* set et her net -switch! ng-opti ans ?ecyre-actes?- Possible complet

12、ions J+ ipply-groupscroups frm which to Inherit conrfiurrlon data+ apply-group5-except Don't inhernt corrTigurafi n datafromthese groups> irp-TnspecilonEnable Dynamic AkPInspectlon onthisvlAn> dh匚p-pptignS/匚onfigurg PH匚P option 62 pn Th勺5VLflN,H ex聶 1ne；dhcp"EnableDritP snooping pn-th

13、Ps'讥2|>1 _ '|J- iTidC-lIrniT no-allowed-mac-loqerficeceport vlan all rJ- exanune-fipip-so ur ce-guard> mac-movt-lim1r no-arp-inspeCtTOn no-eaminedhcp no-勺 p-sflurce-g ua广 dmaster：。edit IEnable Enable Number Dlabl Disabl DQfl' t'irtooping or source guard MM tflo/jementB Dynarm c

14、 ARP in e DHCP snooping 目piiHle IP sourcethis VLAMon this VLAMs allQiwed on This v3n spCtipn on thi? VLAN on This MANguard on rhli vlmj例:edit ethernet-switching-op tionsJuni per_EX4550# showsecure-access-portinterface ge-0/0/1.0 dhc p-trusted;interface ge-0/0/2.0 no-dhc p-trusted;vlan 100 examine-dh

15、c p;查看:Junip er_EX4550> show dhc p sno oping bindingJunip er_EX4550> clear dhc p sno oping binding3. DAI与DHCP snooping合用，通过借用DHCP snooping 的数据库，进行ARP欺骗防护，任何ARP 包经过交换机转发时都要检查源 MAC地址，对应数据库决定是否合法。DAI只能对VLAN进行配置，不能对接口配置DAI只检查untrust 接口的 ARP包uni per_EX4 5 5 set ether net-switchi ng-opt i ons sec ur

16、e-atceS-port v an all ? PoTsi bl e canpl eti ons :+ pply-groupsGroups from which to inher it configapply-qroups-exueiJt Don't inherit 匚onfiguratioddata fr> dhcptTot> exami ne-dhcp> exami ne-fi p1p-5ource-auardA mac-move-1Tmitno-arp-lnspectionno-£xain1 ne-dhc prio-1 p-sour ce-ouar d

17、 fiTidSta广：Q * eiliT urat ion cUtQ thewg 胪qupsConfi gure DHCP opfi onEnable dhcp snooping tEnable fip snooping on this vlan Enable IP sourte guard on this vlanMum be r l：:”二 二：:“.：一 ” 一dsable Dynamlc arp Inspection or this vlan Disable DHCP snooping an This vlam Don't enable IP source guard on This vlan'32 on tKTF'VLAN >n this VLAN” d on this vlanof MAC movents allowed on this vlan例:edit ethernet-switching-op tionsJuni per