Versions Compared

Old Version 9

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


DHCP snooping database is shared with IP source guard and dynamic ARP inspection






Understanding DHCP Snooping (ELS)Link
DHCP SnoopingLink
Understanding IP Source Guard for Port Security on Switches

protection against IP spoofing ( forging/stealing)

Link

Understanding and Using Dynamic ARP Inspection (DAI)Link

...

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing


set ethernet-switching-options secure-access-port dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/0.0 vlan vlan10 arp-inspection
set ethernet-switching-options secure-access-port interface
Enhanced Layer 2 Software (ELS) configuration style: LinkDAI enable per VLAN
enable DAI on a VLAN  ( in ELSset vlans <vlan-name> forwarding-options dhcp-security arp-inspection

enable DAI on a VLAN  ( in non-ELS )

 for EX Series switches that do not support
the Enhanced Layer 2 Software (ELS)

set ethernet-switching-options secure-access-port vlan vlan-name arp-inspection

or

set ethernet-switching-options secure-access-port vlan all arp-inspection

secure-access-porthttps://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html
secure-access-portDHCP Snooping databaseagainst rogue dhcp server
default: 

all access port untrusted  

all Trunk port trusted

not in the DBtraffic is blocked
Host with static IP@+ add static Mac and IP@ under the dhcp-security group command


config dhcp snooping ( per vlan )

set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted

set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.

0

overridesLink


dhcp relay / add option-82circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options

option-82 circuit-id prefix host-name

>> circuit-id = "EX1:ge-0/0/0.0 vlan vlan10 examine-dhcp

Host use Static IP address

set in the VLAN "overrides trusted"

set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted

Trunk port

ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default.

Linkx"

by default dhcp snooping db lost after reboot

store into a file

set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log


clear dhcp snooping database

clear dhcp-security binding

clear dhcp-security binding ip-address 172.20.1.10



show commands
show DHCP snooping datbaseshow dhcp-security binding