Switching

Expand all | Collapse all

DHCP Snooping on EX4300 / ELS

Jump to Best Answer
  • 1.  DHCP Snooping on EX4300 / ELS

    Posted 10-06-2015 01:49

    Hi Guys,

     

    I am using Junos 14.1X53-D27 on EX4300 and want to enable DHCP Snooping for a specific VLAN, without any further security features (DAI, IP Source Guard etc.).

     

    From the documentation, I understand that it is NOT possible to only activate DHCP Snooping on a VLAN:

    http://www.juniper.net/techpubs/en_US/junos14.1/topics/concept/port-security-dhcp-snooping-els.html

     

    "DHCP snooping is not enabled in the default switch configuration. DHCP snooping is enabled automatically by Junos OS software when you configure any port security features at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level."

     

    So my question is, if there is any option to just activate DHCP Snooping without additionally activate DAI or IP Source Guard as well on a VLAN? With the "old" EX-CLI this was possible with the following command and I can't understand why it shouldn't be possible anymore with ELS.

    set ethernet-switching-options secure-access-port vlan DATA examine-dhcp

    Thanks in advance,

    Benjamin



  • 2.  RE: DHCP Snooping on EX4300 / ELS

    Posted 02-23-2016 09:14

    I'm also interested to understand why this no longer appears to be supported.

     

    On a related note, be warned that we have been seeing very broken clients with dhcp-security, arp-inspection and ip-source-guard enabled on our voice VLAN on an EX4300 VC running 14.1X53-D30 (identical handsets operate correctly on EX4200 VCs running 12.3R11 with examine-dhcp, etc.).



  • 3.  RE: DHCP Snooping on EX4300 / ELS

    Posted 03-02-2016 06:27

    In the meantime, I found a workaround, that seems to solve the issue. When I activate DHCP security for a given VLAN, I additionally add a group for trusted interfaces (without specifiying a certain trusted interface) to be able to commit the configuration. 

     

    set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-interfaces overrides trusted

    With this configuration DHCP Snooping is enabled for that VLAN, without turning on additional security mechanisms, like DAI or IP Source Guard.

     

    Regards, Benjamin



  • 4.  RE: DHCP Snooping on EX4300 / ELS
    Best Answer

    Posted 12-06-2017 16:47

    For anybody who finds this page: DHCP-snooping can be enabled on its own, without a workaround, as of 17.1R1.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-dhcp-snooping-els.html

     

    Starting in Junos OS Release 17.1R1, you can configure DHCP snooping or DHCPv6 snooping on a VLAN without enabling other port security features by configuring the dhcp-security CLI statement at the [edit vlans vlan-name forwarding-options dhcp-security].



  • 5.  RE: DHCP Snooping on EX4300 / ELS

    Posted 12-07-2017 00:22

    Thanks for the update and clarification!

     

    Best Regards,

    Benjamin



  • 6.  RE: DHCP Snooping on EX4300 / ELS

     
    Posted 12-07-2017 02:48

    I am very interested to see what experience anyone might have with either DHCP-Snooping alone or DHCP-Snooping with additional security features while using 17.1R(anything), or any other 17.x?

     

    Thanks