Supported Platforms
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- EX Series, QFX Series standalone switches
- Understanding DHCP Snooping for Port Security
Configuring Port Security (CLI Procedure)
 | Note: This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Port Security (CLI Procedure). For ELS details, see Getting Started with Enhanced Layer 2 Software. |
Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. DHCP port security features help protect the access ports on the switch against the loss of information and productivity that can result from such attacks.
The following port security features are supported for DHCPv4:
- DHCP snooping
- DAI (dynamic ARP inspection)
- IP source guard
- DHCP option 82
The following port security features are supported for DHCPv6:
- DHCPv6 snooping
- Neighbor Discovery inspection
- IPv6 source guard
- DHCPv6 option 37
DHCP snooping for DHCPv4 and DHCPv6 is disabled in the default configuration. There is no explicit configuration for enabling DHCP snooping. If you configure any other port security features for a VLAN at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level, then DHCP snooping and DHCPv6 snooping are automatically enabled on that VLAN.
DAI, Neighbor Discovery inspection, IP source guard and IPv6 source guard, and DHCP option 82 are configured per VLAN. You must configure a VLAN before configuring these DHCP port security features. See Configuring VLANs for EX Series Switches (CLI Procedure).
The DHCP port security features that you specify for the VLAN apply to all the interfaces included within that VLAN. However, you can create a specific group of access interfaces within the VLAN to have different attributes, such as:
- Specifying an interface to have a static IP-MAC address (static-ip or static-ipv6)
- Specifying an access interface to act as a trusted interface to a DHCP server (trusted)
- Specifying an interface not to transmit DHCP Relay Option (no-option-82or no-option37)
| Note:
|
| Note: Trunk interfaces are trusted by default. However, on an EX9200 switch, you can override this default behavior and set a trunk interface as untrusted. |
For additional details, see:
- Enabling Dynamic ARP Inspection (CLI Procedure)
- Enabling IPv6 Neighbor Discovery Inspection
- Configuring IP Source Guard (CLI Procedure)
- Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
You can override the general port security settings for the VLAN by configuring a group of access interfaces within that VLAN. For details, see:
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- EX Series, QFX Series standalone switches
- Understanding DHCP Snooping for Port Security
Published: 2014-04-24
Supported Platforms
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- EX Series, QFX Series standalone switches
- Understanding DHCP Snooping for Port Security
