Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


DHCP snooping database is shared with IP source guard and dynamic ARP inspection






Understanding DHCP Snooping (ELS)Link
DHCP SnoopingLink
Understanding IP Source Guard for Port Security on Switches

protection against IP spoofing ( forging/stealing)

Link

Understanding and Using Dynamic ARP Inspection (DAI)Link


DHCP Snooping databaseagainst rogue dhcp server
default: 

all access port untrusted  

all Trunk port trusted

not in the DBtraffic is blocked
Host with static IP@+ add static Mac and IP@ under the dhcp-security group command


config dhcp snooping ( per vlan )

set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.0

overridesLink


dhcp relay / add option-82circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options

option-82 circuit-id prefix host-name

>> circuit-id = "EX1:ge-0/0/x"

by default dhcp snooping db lost after reboot

store into a file

set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log


clear dhcp snooping database

clear dhcp-security binding

clear dhcp-security binding ip-address 172.20.1.10



show commands
show DHCP snooping datbaseshow dhcp-security binding