Switching

Hi all,

I've searched around Google/these forums for many hours and have looked at many a thread and Juniper TechDoc. I cannot seem to validate that DHCP snooping is 1.) configured correctly and 2.) actually working. Relevant config snippets are below.

Switch version: 18.2R3-S2.9

daxter@EX3400-24P> show configuration vlans WLAN
vlan-id 20;
forwarding-options {
    dhcp-security {
        arp-inspection;
        ip-source-guard;
    }
}

And as you can see, there is no DHCP snooping options for validation commands.

daxter@EX3400-24P> show dhcp ?
Possible completions:
  client               Show DHCP client information
  relay                Show DHCP relay information
  server               Show DHCP server information
  statistics           Show DHCP service statistics
{master:0}   

Hi Daxter,

1) Configuration -> To enable DHCP snooping, you need to do is enable dhcp-security for that specfic VLAN and I see that is already done. So the DHCP snooping database table must be already built and being updated dynamically for this VLAN WLAN. ARP inspection and IP-source-guard are additional port security features which also make use of the DHCP snooping database.

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-dhcp-snooping-els.html

2) Actually Working -> You can check the DHCP snooping database to verify if its working for which you can use the command "show dhcp-security binding". For DHCPv6, "show dhcp-security ipv6 binding"

Please refer to https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-dhcp-security-binding.html for example outputs.

Hope this helps.

Thanks and Regards,

Pradeep Kumar M

|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||

"show dhcp-security binding"

Wow I'm dumb. I didn't even notice this was an option. Thank you for setting me straight!

I have no binding entries for some reason. I'm thinking this is because of the default switch behavior of trusting trunk ports. Unfortunately, my access points require the port to be a trunk. I see on the EX3400 with ELS, there is no way to "untrust" a trunk port. So this feature is essentially useless on this platform it seems.

Use 18.4R1 or higher.  Untrust on Trunk supported added there.

https://apps.juniper.net/feature-explorer/feature-info.html

fKey=8547&fn=Untrusted%20mode%20on%20trunk%20port

I would suggest using latest 18.4 S-release, which is 18.4R3-S2 (found under Junos SR for OS).

Get back with your results.

Running the new software and setting an override for the trunk port -  I have DHCP snooping bindings now. A new issue has cropped up, however. The software does not allow "overrides untrust" to be configured with "ip-source-guard".

I'm starting to regret buying Juniper 😄

From your response, I can only assume you are new to Juniper EX products.  I also assume your requirement if some port level security for WLAN/AP network.  Do whose switches were you using previously, with this WLAN network?  I sort of assume the WLAN is not new, so from which vendor is your WLAN?  What was the previous configuration on your old switches?

I assume you are looking to enable DHCP Snooping on a Tagged Interface, which you then want to be untrusted.  So under vlans vlan-name forwarding-options you have set dhcp-snooping with set arp-inspection and set overrides trusted.  I assume when you then try and add set ip-source-guard, you now receive a commit error?

Maybe you could send your most current config, and what the commit error is?

I am new to EX switches and JunOS. This is a switch in my home lab. I use various L2 security features (dhcp snooping, DAI, ip source guard) on my guest wireless network. I've used Aruba/Cisco previously. Both would allow all three of these features to be enabled simultaneously. There's no sense in trusting a trunk port by default. My DHCP server is only off one trunk, so only that one trunk should be trusted. It's kinda dumb that Juniper enforces this by default.

WLAN access points are Ruckus. No controller/mesh. Just standalone APs.

"set overrides trusted" makes any port in that group trusted, which is not what I want. I had "set overrides untrusted" in the group and attached the trunk ports. The commit error simply states that ip-source-guard cannot be enabled with any overrides.