Versions Compared

Old Version 14

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


DHCP snooping database is shared with IP source guard and dynamic ARP inspection






Understanding DHCP Snooping (ELS)Link
DHCP SnoopingLink
Understanding IP Source Guard for Port Security on Switches

protection against IP spoofing ( forging/stealing)

Link

Understanding and Using Dynamic ARP Inspection (DAI)Link


DHCP Snooping databaseagainst rogue dhcp server
default: 

all access port untrusted  

all Trunk port trusted

not in the DBtraffic is blocked
Host with static IP@+ add static Mac and IP@ under the dhcp-security group command


config dhcp snooping ( per vlan )

set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.0

overridesLink


dhcp relay / add option-82circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options

option-82 circuit-id prefix host-name

>> circuit-id = "EX1:ge-0/0/x"

by default dhcp snooping db lost after reboot

store into a file

set system
process
processes dhcp-service dhcp-snooping-file snoop-dhcp.log


clear dhcp snooping database

clear dhcp-security binding

clear dhcp-security binding ip-address 172.20.1.10



show commands
show DHCP snooping datbaseshow dhcp-security binding

Dynamic ARP Inspection: anti ARP spoofing attacks

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing

set ethernet-switching-options secure-access-port interface ge-0/0/0.0 dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 arp-inspection
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 examine-dhcp

ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default.

Link
Enhanced Layer 2 Software (ELS) configuration style: LinkDAI enable per VLAN
enable DAI on a VLAN  ( in ELSset vlans <vlan-name> forwarding-options dhcp-security arp-inspection

For platforms without ELS:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html

enable DAI on a VLAN  ( in non-ELS )

 for EX Series switches that do not support
the Enhanced Layer 2 Software (ELS)

set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection

or

set ethernet-switching-options secure-access-port vlan all arp-inspection

secure-access-port
Host use Static IP address

set in the VLAN "overrides trusted"

set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted

Trunk port