Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


DHCP snooping database is shared with IP source guard and dynamic ARP inspection






Understanding DHCP Snooping (ELS)Link
DHCP SnoopingLink
Understanding IP Source Guard for Port Security on Switches

protection against IP spoofing ( forging/stealing)

Link

Understanding and Using Dynamic ARP Inspection (DAI)Link


DHCP Snooping databaseagainst rogue dhcp server
default: 

all access port untrusted  

all Trunk port trusted

not in the DBtraffic is blocked
Host with static IP@+ add static Mac and IP@ under the dhcp-security group command


config dhcp snooping ( per vlan )

set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.0

overridesLink


dhcp relay / add option-82circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options

option-82 circuit-id prefix host-name

>> circuit-id = "EX1:ge-0/0/x"



by default lost after reboot


set system process dhcp-snooping-file snoop-dhcp.log

clear dhcp-security binding

clear dhcp-security binding ip-address 172.20.1.10

show commands
show DHCP snooping datbaseshow dhcp-security binding


Dynamic ARP Inspection: anti ARP spoofing attacks

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing



Enhanced Layer 2 Software (ELS) configuration style: Link
DAI enable per VLAN
enable DAI on a VLAN  ( in ELSset vlans <vlan-name> forwarding-options dhcp-security arp-inspection



For platforms without ELS:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html

enable DAI on a VLAN  ( in non-ELS )

 for EX Series switches that do not support
the Enhanced Layer 2 Software (ELS)

set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection

or

set ethernet-switching-options secure-access-port vlan all arp-inspection

secure-access-port

set ethernet-switching-options secure-access-port interface ge-0/0/0.0 dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 arp-inspection
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 examine-dhcp




Host use Static IP address

set in the VLAN "overrides trusted"

set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted

Trunk port

ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default.

Link

...