Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  dhcp-security and interface ranges

    Posted 12-30-2024 15:53

    is there a way to apply dhcp-security to interface ranges rather then a single port?

    Example:

    vlan99 {                                                                                                                
        description example;                                                                                                    
        vlan-id 99;                                                                                                         
        forwarding-options {                                                                                                
            dhcp-security {                                                                                                 
                group Trusted {                                                                                             
                    overrides {                                                                                             
                        trusted;                                                                                            
                    }                                                                                                       
                    interface-range Trunks;                                                                                   
                }                                                                                                           
            }                                                                                                               
        }                                                                                                                   
    }


    ------------------------------
    MARK JOHNS
    ------------------------------


  • 2.  RE: dhcp-security and interface ranges

    Posted 01-02-2025 19:55

    It seems it is not possible to configure an interface range in that stanza. On the other hand:

    "By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping."

    https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/concept/port-security-dhcp-snooping-els.html




  • 3.  RE: dhcp-security and interface ranges

    Posted 01-03-2025 08:47

    That's what i had thought too but i came across an instance where that didn't seem to be the case.  I had a coworker prepping a firewall and had it on the network on an access port to onboard it to the management site and it started handing out dhcp to the vlan it was on.



    ------------------------------
    MARK JOHNS
    ------------------------------



  • 4.  RE: dhcp-security and interface ranges

    Posted 01-06-2025 14:44

    Bump.



    ------------------------------
    MARK JOHNS
    ------------------------------



  • 5.  RE: dhcp-security and interface ranges

    Posted 01-06-2025 14:52

    is it because all of our settings are set in interface ranges instead of individual interfaces?



    ------------------------------
    MARK JOHNS
    ------------------------------



  • 6.  RE: dhcp-security and interface ranges

    Posted 01-06-2025 16:54

    If it's a trunk it should be exempt. I don't know the show command to see if an interfaces is trusted, but it should be easy enough to find. What happens if you explicitly set it to trusted?




  • 7.  RE: dhcp-security and interface ranges

    Posted 30 days ago

    i can test this but its not the trunk range its the access range that is having issues.



    ------------------------------
    MARK JOHNS
    ------------------------------



  • 8.  RE: dhcp-security and interface ranges

    Posted 24 days ago

    since this is on an interface range should i make a filter that blocks dhcp coming into the interface range?  What would that look like?



    ------------------------------
    MARK JOHNS
    ------------------------------