DHCP snooping database is shared with IP source guard and dynamic ARP inspection
Understanding DHCP Snooping (ELS) | Link |
DHCP Snooping | Link |
Understanding IP Source Guard for Port Security on Switches | protection against IP spoofing ( forging/stealing) |
Understanding and Using Dynamic ARP Inspection (DAI) | Link |
DHCP Snooping database | against rogue dhcp server |
---|---|
default: | all access port untrusted all Trunk port trusted |
not in the DB | traffic is blocked |
Host with static IP@ | + add static Mac and IP@ under the dhcp-security group command |
config dhcp snooping ( per vlan ) | set vlans Finance forwarding-options dhcp-security group DHCP-server overrides trusted set vlans Finance forwarding-options dhcp-security group DHCP-server interface ge-0/0/0.0 |
overrides | Link |
dhcp relay / add option-82 | circuit-id=interface(default), remote-id=Host Mac@(default) , vendor-id=juniper(default), pool , other options |
option-82 circuit-id prefix host-name >> circuit-id = "EX1:ge-0/0/x" | |
by default dhcp snooping db lost after reboot | |
store into a file | set system processes dhcp-service dhcp-snooping-file snoop-dhcp.log |
clear dhcp snooping database | |
clear dhcp-security binding clear dhcp-security binding ip-address 172.20.1.10 | |
show commands | |
show DHCP snooping datbase | show dhcp-security binding |
Dynamic ARP Inspection: anti ARP spoofing attacks
DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing
Enhanced Layer 2 Software (ELS) configuration style: Link | |
---|---|
DAI enable per VLAN | |
enable DAI on a VLAN ( in ELS ) | set vlans <vlan-name> forwarding-options dhcp-security arp-inspection |
For platforms without ELS: | https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/secure-access-port-port-security.html |
enable DAI on a VLAN ( in non-ELS ) for EX Series switches that do not support | set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection or set ethernet-switching-options secure-access-port vlan all arp-inspection |
secure-access-port | set ethernet-switching-options secure-access-port interface ge-0/0/0.0 dhcp-trusted |
Host use Static IP address | set in the VLAN "overrides trusted" set vlans <vlan-name> forwarding-options dhcp-security group <group-1> overrides trusted |
Trunk port | ARP packets bypass DAI on trusted interfaces. Trunk ports are trusted by default. |