I am using Junos 14.1X53-D27 on EX4300 and want to enable DHCP Snooping for a specific VLAN, without any further security features (DAI, IP Source Guard etc.).
From the documentation, I understand that it is NOT possible to only activate DHCP Snooping on a VLAN:
"DHCP snooping is not enabled in the default switch configuration. DHCP snooping is enabled automatically by Junos OS software when you configure any port security features at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level."
So my question is, if there is any option to just activate DHCP Snooping without additionally activate DAI or IP Source Guard as well on a VLAN? With the "old" EX-CLI this was possible with the following command and I can't understand why it shouldn't be possible anymore with ELS.
set ethernet-switching-options secure-access-port vlan DATA examine-dhcp
Thanks in advance,
I'm also interested to understand why this no longer appears to be supported.
On a related note, be warned that we have been seeing very broken clients with dhcp-security, arp-inspection and ip-source-guard enabled on our voice VLAN on an EX4300 VC running 14.1X53-D30 (identical handsets operate correctly on EX4200 VCs running 12.3R11 with examine-dhcp, etc.).
In the meantime, I found a workaround, that seems to solve the issue. When I activate DHCP security for a given VLAN, I additionally add a group for trusted interfaces (without specifiying a certain trusted interface) to be able to commit the configuration.
set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-interfaces overrides trusted
With this configuration DHCP Snooping is enabled for that VLAN, without turning on additional security mechanisms, like DAI or IP Source Guard.
For anybody who finds this page: DHCP-snooping can be enabled on its own, without a workaround, as of 17.1R1.
Starting in Junos OS Release 17.1R1, you can configure DHCP snooping or DHCPv6 snooping on a VLAN without enabling other port security features by configuring the dhcp-security CLI statement at the [edit vlans vlan-name forwarding-options dhcp-security].
Thanks for the update and clarification!
I am very interested to see what experience anyone might have with either DHCP-Snooping alone or DHCP-Snooping with additional security features while using 17.1R(anything), or any other 17.x?