Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


DHCP snooping database is shared with IP source guard and dynamic ARP inspection






Understanding DHCP Snooping (ELS)Link
DHCP SnoopingLink
Understanding IP Source Guard for Port Security on Switches

protection against IP spoofing ( forging/stealing)

Link

Understanding and Using Dynamic ARP Inspection (DAI)Link


DHCP Snooping databaseagainst rogue dhcp server
default: 

all access port

untrusted

untrusted  

all Trunk port trusted

configshow DHCP snooping datbaseshow dhcp-security binding

Dynamic ARP Inspection: anti ARP spoofing attacks

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing

set ethernet-switching-options secure-access-port dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 arp-inspection
set ethernet-switching-options secure-access-port interface
Enhanced Layer 2 Software (ELS) configuration style: LinkDAI enable per VLANenable DAI on a VLAN  ( in ELSset vlans <vlan-name> 

not in the DBtraffic is blocked
Host with static IP@+ add static Mac and IP@ under the dhcp-security group command


config dhcp snooping ( per vlan )secure-access-port

set vlans Finance forwarding-options dhcp-security

 arp-inspection

For platforms without ELS:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html

enable DAI on a VLAN  ( in non-ELS )

 for EX Series switches that do not support
the Enhanced Layer 2 Software (ELS)

set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection

or

set ethernet-switching-options secure-access-port vlan all arp-inspection

 group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.

0

overridesLink


dhcp relay / add option-82circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options

option-82 circuit-id prefix host-name

>> circuit-id = "EX1:ge-0/0/0.0 vlan vlan10 examine-dhcp

Host use Static IP address

set in the VLAN "overrides trusted"

set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted

Trunk port

ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default.

Linkx"

by default dhcp snooping db lost after reboot

store into a file

set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log


clear dhcp snooping database

clear dhcp-security binding

clear dhcp-security binding ip-address 172.20.1.10



show commands
show DHCP snooping datbaseshow dhcp-security binding