Expand all | Collapse all

DHCP Snooping on EX4300 / ELS

Jump to Best Answer
  • 1.  DHCP Snooping on EX4300 / ELS

    Posted 10-06-2015 01:49

    Hi Guys,


    I am using Junos 14.1X53-D27 on EX4300 and want to enable DHCP Snooping for a specific VLAN, without any further security features (DAI, IP Source Guard etc.).


    From the documentation, I understand that it is NOT possible to only activate DHCP Snooping on a VLAN:



    "DHCP snooping is not enabled in the default switch configuration. DHCP snooping is enabled automatically by Junos OS software when you configure any port security features at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level."


    So my question is, if there is any option to just activate DHCP Snooping without additionally activate DAI or IP Source Guard as well on a VLAN? With the "old" EX-CLI this was possible with the following command and I can't understand why it shouldn't be possible anymore with ELS.

    set ethernet-switching-options secure-access-port vlan DATA examine-dhcp

    Thanks in advance,


  • 2.  RE: DHCP Snooping on EX4300 / ELS

    Posted 02-23-2016 09:14

    I'm also interested to understand why this no longer appears to be supported.


    On a related note, be warned that we have been seeing very broken clients with dhcp-security, arp-inspection and ip-source-guard enabled on our voice VLAN on an EX4300 VC running 14.1X53-D30 (identical handsets operate correctly on EX4200 VCs running 12.3R11 with examine-dhcp, etc.).

  • 3.  RE: DHCP Snooping on EX4300 / ELS

    Posted 03-02-2016 06:27

    In the meantime, I found a workaround, that seems to solve the issue. When I activate DHCP security for a given VLAN, I additionally add a group for trusted interfaces (without specifiying a certain trusted interface) to be able to commit the configuration. 


    set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-interfaces overrides trusted

    With this configuration DHCP Snooping is enabled for that VLAN, without turning on additional security mechanisms, like DAI or IP Source Guard.


    Regards, Benjamin

  • 4.  RE: DHCP Snooping on EX4300 / ELS
    Best Answer

    Posted 12-06-2017 16:47

    For anybody who finds this page: DHCP-snooping can be enabled on its own, without a workaround, as of 17.1R1.




    Starting in Junos OS Release 17.1R1, you can configure DHCP snooping or DHCPv6 snooping on a VLAN without enabling other port security features by configuring the dhcp-security CLI statement at the [edit vlans vlan-name forwarding-options dhcp-security].

  • 5.  RE: DHCP Snooping on EX4300 / ELS

    Posted 12-07-2017 00:22

    Thanks for the update and clarification!


    Best Regards,


  • 6.  RE: DHCP Snooping on EX4300 / ELS

    Posted 12-07-2017 02:48

    I am very interested to see what experience anyone might have with either DHCP-Snooping alone or DHCP-Snooping with additional security features while using 17.1R(anything), or any other 17.x?