DHCP snooping database is shared with IP source guard and dynamic ARP inspection
| Understanding DHCP Snooping (ELS) | Link |
| DHCP Snooping | Link |
| Understanding IP Source Guard for Port Security on Switches | protection against IP spoofing ( forging/stealing) |
| Understanding and Using Dynamic ARP Inspection (DAI) | Link |
...
DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing
| Enhanced Layer 2 Software (ELS) configuration style: Link | enable DAI on a VLAN ( in ELS ) | set vlans vlan-nameDHCP Snooping database | against rogue dhcp server |
|---|---|---|---|
| default: | all access port untrusted all Trunk port trusted | ||
| not in the DB | traffic is blocked | ||
| Host with static IP@ | + add static Mac and IP@ under the dhcp-security group command | ||
| config dhcp snooping ( per vlan ) | set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted set vlans Finance forwarding-options dhcp-security arp-inspection | enable DAI on a VLAN ( in non-ELS ) for EX Series switches that do not support | set ethernet-switching-options secure-access-port vlan vlan-name arp-inspection or set ethernet-switching-options secure-access-port vlan all arp-inspectiongroup DHCP-server interface ge-0/0/0.0 |
| overrides | Link | ||
| dhcp relay / add option-82 | circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options | ||
option-82 circuit-id prefix host-name >> circuit-id = "EX1:ge-0/0/x" | |||
| by default dhcp snooping db lost after reboot | |||
store into a file | set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log | ||
| clear dhcp snooping database | |||
clear dhcp-security binding clear dhcp-security binding ip-address 172.20.1.10 | |||
| show commands | |||
| show DHCP snooping datbase | show dhcp-security binding | ||