DHCP snooping database is shared with IP source guard and dynamic ARP inspection
| Understanding DHCP Snooping (ELS) | Link |
| DHCP Snooping | Link |
| Understanding IP Source Guard for Port Security on Switches | protection against IP spoofing ( forging/stealing) |
| Understanding and Using Dynamic ARP Inspection (DAI) | Link |
Dynamic ARP Inspection: anti ARP spoofing attacks
DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing
| Enhanced Layer 2 Software (ELS) configuration style: Link | |
|---|---|
| DAI enable per VLAN | |
| enable DAI on a VLAN ( in ELS ) | set vlans <vlan-name> forwarding-options dhcp-security arp-inspection |
For platforms without ELS: | https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html |
enable DAI on a VLAN ( in non-ELS ) for EX Series switches that do not support | set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection or set ethernet-switching-options secure-access-port vlan all arp-inspection |
| secure-access-port | set ethernet-switching-options secure-access-port interface ge-0/0/0.0 dhcp-trusted |
| Host use Static IP address | set in the VLAN "overrides trusted" set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted |
| Trunk port | ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default. |