Switching

Expand all | Collapse all

QFX5100 and DHCP snooping

Jump to Best Answer
  • 1.  QFX5100 and DHCP snooping

    Posted 01-24-2018 03:17

    Hi!

     

    I have:

    QFX5100-48S-6Q

    Junos: 17.4R1.16

     

    I want to configure DHCP snooping for protect my network from other DHCP servers...

    I use this guide: https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/qfx-series/security.pdf

     

    But I don't see any working config.

    QFX5100 support DHCP snooping ?

     

    am> show dhcp?  
    Possible completions:
      dhcp                 Show Dynamic Host Configuration Protocol information
      dhcp-security        Show DHCP access security information
      dhcpv6               Show Dynamic Host Configuration Protocol v6 information
    {master:0}
    am> show dhcp ? 
    Possible completions:
      client               Show DHCP client information
      relay                Show DHCP relay information
      server               Show DHCP server information
      statistics           Show DHCP service statistics
    {master:0}[edit]
    am# set et
            ^
    syntax error.
    am# set et 

    #QFX
    #DHCPsnooping


  • 2.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:09

    Per this it should be there - https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1039&fn=DHCP%20snooping

     

    See here for details on how to configure - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-security-dhcp-snooping-cli.html

     

    QFX51xx and EX4600 have different CLI structure than EX4300/EX3400/EX2300, that is other EX ELS switches. 



  • 3.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 06:17

    Hello,

     

    But a dont have ethernet-switching-options:

     

    am> configure 
    Entering configuration mode
    
    {master:0}[edit]
    am# set et
            ^
    syntax error.
    am# set et 


  • 4.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:24

    Can you look under edit vlans vlan-name forward-options - is dhcp-snooping an option there?

     

    Thanks



  • 5.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 06:37

    I have this output:

     

    am# set vlans DATA forwarding-options dhcp-security ?
    Possible completions:
      <[Enter]>            Execute this command
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      arp-inspection       Enable dynamic ARP inspection
    > dhcpv6-options       DHCPv6 option processing for snooped packets
    > group                Define a DHCP security group for overriding defaults
      ip-source-guard      Enable IP source guard
      ipv6-source-guard    Enable IPv6 source guard
      light-weight-dhcpv6-relay  Enable light weight dhcpv6 relay
      neighbor-discovery-inspection  Enable neighbor discovery inspection
      no-dhcp-snooping     Disable dhcp snooping
      no-dhcpv6-snooping   Disable DHCPv6 snooping
    > option-82            DHCP option-82 processing for snooped packets
      |                    Pipe through a command

    I did something like this:

     

     

    set vlans DATA vlan-id 500
    set vlans DATA l3-interface irb.500
    set vlans DATA forwarding-options dhcp-security group TRUST overrides trusted
    set vlans DATA forwarding-options dhcp-security group TRUST interface xe-0/0/0.0
    set vlans DATA forwarding-options dhcp-security group NO-TRUST interface ge-0/0/10.0
    set vlans VOIP vlan-id 770
    set vlans VOIP l3-interface irb.770
    
    set interfaces xe-0/0/0 description -=Servers=-
    set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
    set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members DATA
    set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members VOIP
    set interfaces ge-0/0/10 description -=Clients_Sherbakova2=-
    set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members DATA
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VOIP

     

    I need xe-0/0/0.0 - TRUST and other (ge-0/0/10.0, etc.) - UNTRUST.



  • 6.  RE: QFX5100 and DHCP snooping

     
    Posted 01-24-2018 06:44

    Port-mode trunk is trust by default, port-mode access is untrust by default.

     

    You all set now?  I will look to get documentation fixed.



  • 7.  RE: QFX5100 and DHCP snooping

    Posted 01-24-2018 07:29

    How can I change default role for Trunk ports?
    In my network I have only 2 Trunk ports with DHCP servers...

     

    All other trunk and access port must be UNTRUSTED.



  • 8.  RE: QFX5100 and DHCP snooping

    Posted 01-25-2018 00:17

    Hi,

     

    I have not solved the issue.

     

    How to do UNTRUST for TRUNK ports?



  • 9.  RE: QFX5100 and DHCP snooping
    Best Answer

    Posted 01-25-2018 05:36

    I tested next config :

     

     

    am> show configuration vlans                  
    DATA {
        vlan-id 500;
        l3-interface irb.500;
        forwarding-options {
            dhcp-security {
                group TRUST {
                    overrides {
                        trusted;
                    }
                    interface ge-0/0/20.0;
                }
                group UNTRUST {
                    overrides {
                        ##
                        ## Warning: statement ignored: unsupported platform (qfx5100-48s-6q)
                        ##
                        untrusted;
                    }
                    interface ge-0/0/21.0;
                }
            }
        }
    }

    But this dont work to..

     

     

    So. I have answer from JTAC: "The warning is self explanatory. It is not supported on QFX5100. This is a product limitation."



  • 10.  RE: QFX5100 and DHCP snooping

     
    Posted 01-25-2018 06:44

    What was your JTAC case number, please?  Many thanks.