DHCP snooping database is shared with IP source guard and dynamic ARP inspection
Understanding DHCP Snooping (ELS) | Link |
DHCP Snooping | Link |
Understanding IP Source Guard for Port Security on Switches | protection against IP spoofing ( forging/stealing) |
Understanding and Using Dynamic ARP Inspection (DAI) | Link |
DHCP Snooping database | against rogue dhcp server |
---|---|
default: | all access port untrusted all Trunk port trusted |
not in the DB | traffic is blocked |
Host with static IP@ | + add static Mac and IP@ under the dhcp-security group command |
config dhcp snooping ( per vlan ) | set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.0 |
overrides | Link |
dhcp relay / add option-82 | circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options |
option-82 circuit-id prefix host-name >> circuit-id = "EX1:ge-0/0/x" | |
by default dhcp snooping db lost after reboot | |
store into a file | set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log |
clear dhcp snooping database | |
clear dhcp-security binding clear dhcp-security binding ip-address 172.20.1.10 | |
show commands | |
show DHCP snooping datbase | show dhcp-security binding |