Switching

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  QFX5100 and DHCP snooping

    Posted 01-24-2018 03:17

    Hi!

     

    I have:

    QFX5100-48S-6Q

    Junos: 17.4R1.16

     

    I want to configure DHCP snooping for protect my network from other DHCP servers...

    I use this guide: https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/qfx-series/security.pdf

     

    But I don't see any working config.

    QFX5100 support DHCP snooping ?

     

    am> show dhcp?  
    Possible completions:
      dhcp                 Show Dynamic Host Configuration Protocol information
      dhcp-security        Show DHCP access security information
      dhcpv6               Show Dynamic Host Configuration Protocol v6 information
    {master:0}
    am> show dhcp ? 
    Possible completions:
      client               Show DHCP client information
      relay                Show DHCP relay information
      server               Show DHCP server information
      statistics           Show DHCP service statistics
    {master:0}[edit]
    am# set et
            ^
    syntax error.
    am# set et 

    #QFX
    #DHCPsnooping


  • 2.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:09

    Per this it should be there - https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1039&fn=DHCP%20snooping

     

    See here for details on how to configure - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-security-dhcp-snooping-cli.html

     

    QFX51xx and EX4600 have different CLI structure than EX4300/EX3400/EX2300, that is other EX ELS switches. 



  • 3.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 06:17

    Hello,

     

    But a dont have ethernet-switching-options:

     

    am> configure 
    Entering configuration mode
    
    {master:0}[edit]
    am# set et
            ^
    syntax error.
    am# set et 


  • 4.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:24

    Can you look under edit vlans vlan-name forward-options - is dhcp-snooping an option there?

     

    Thanks



  • 5.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 06:37

    I have this output:

     

    am# set vlans DATA forwarding-options dhcp-security ?
    Possible completions:
      <[Enter]>            Execute this command
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      arp-inspection       Enable dynamic ARP inspection
    > dhcpv6-options       DHCPv6 option processing for snooped packets
    > group                Define a DHCP security group for overriding defaults
      ip-source-guard      Enable IP source guard
      ipv6-source-guard    Enable IPv6 source guard
      light-weight-dhcpv6-relay  Enable light weight dhcpv6 relay
      neighbor-discovery-inspection  Enable neighbor discovery inspection
      no-dhcp-snooping     Disable dhcp snooping
      no-dhcpv6-snooping   Disable DHCPv6 snooping
    > option-82            DHCP option-82 processing for snooped packets
      |                    Pipe through a command

    I did something like this:

     

     

    set vlans DATA vlan-id 500
    set vlans DATA l3-interface irb.500
    set vlans DATA forwarding-options dhcp-security group TRUST overrides trusted
    set vlans DATA forwarding-options dhcp-security group TRUST interface xe-0/0/0.0
    set vlans DATA forwarding-options dhcp-security group NO-TRUST interface ge-0/0/10.0
    set vlans VOIP vlan-id 770
    set vlans VOIP l3-interface irb.770
    
    set interfaces xe-0/0/0 description -=Servers=-
    set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
    set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members DATA
    set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members VOIP
    set interfaces ge-0/0/10 description -=Clients_Sherbakova2=-
    set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members DATA
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VOIP

     

    I need xe-0/0/0.0 - TRUST and other (ge-0/0/10.0, etc.) - UNTRUST.



  • 6.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:44

    Port-mode trunk is trust by default, port-mode access is untrust by default.

     

    You all set now?  I will look to get documentation fixed.



  • 7.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 07:29

    How can I change default role for Trunk ports?
    In my network I have only 2 Trunk ports with DHCP servers...

     

    All other trunk and access port must be UNTRUSTED.



  • 8.  RE: QFX5100 and DHCP snooping

    Posted 01-25-2018 00:17

    Hi,

     

    I have not solved the issue.

     

    How to do UNTRUST for TRUNK ports?



  • 9.  RE: QFX5100 and DHCP snooping
    Best Answer

    Posted 01-25-2018 05:36

    I tested next config :

     

     

    am> show configuration vlans                  
    DATA {
        vlan-id 500;
        l3-interface irb.500;
        forwarding-options {
            dhcp-security {
                group TRUST {
                    overrides {
                        trusted;
                    }
                    interface ge-0/0/20.0;
                }
                group UNTRUST {
                    overrides {
                        ##
                        ## Warning: statement ignored: unsupported platform (qfx5100-48s-6q)
                        ##
                        untrusted;
                    }
                    interface ge-0/0/21.0;
                }
            }
        }
    }

    But this dont work to..

     

     

    So. I have answer from JTAC: "The warning is self explanatory. It is not supported on QFX5100. This is a product limitation."



  • 10.  RE: QFX5100 and DHCP snooping

     
    Posted 01-25-2018 06:44

    What was your JTAC case number, please?  Many thanks.