Supported Platforms
Related Documentation
- EX Series
- Enabling DHCP Snooping (J-Web Procedure)
- Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Verifying That DHCP Snooping Is Working Correctly
- Understanding DHCP Snooping for Port Security
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- class-of-service
- secure-access-port
Enabling DHCP Snooping (CLI Procedure)
DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. It builds and maintains a database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping database.
 | Note: If you configure DHCP snooping for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN. |
This topic describes:
Enabling DHCP Snooping
You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs.
To enable DHCP snooping on a VLAN or all VLANs:
- On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan vlan-name examine-dhcp - On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp
 | Tip: By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the dhcp-snooping-file statement to store the database file either locally or remotely. |
| Tip: For private VLANs (PVLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from PVLAN trunk ports are not snooped. |
Applying CoS Forwarding Classes to Prioritize Snooped Packets
On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping on the same ports through which those critical packets are entering and leaving.
| Note: This is not supported on the QFX Series switch. |
To apply CoS forwarding classes and queues to snooped packets:
- Create a user-defined forwarding class to be used for
prioritizing snooped packets:
[edit class-of-service]
user@switch# set forwarding-classes class class-name queue queue-number - Enable DHCP snooping on a specific VLAN or on all VLANs
and apply the desired forwarding class on the snooped packets:
- On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan vlan-name examine-dhcp forwarding-class class-name - On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp forwarding-class class-name
- On a specific VLAN:
Related Documentation
- EX Series
- Enabling DHCP Snooping (J-Web Procedure)
- Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Verifying That DHCP Snooping Is Working Correctly
- Understanding DHCP Snooping for Port Security
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- class-of-service
- secure-access-port
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX Series
- Enabling DHCP Snooping (J-Web Procedure)
- Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Monitoring Port Security
- EX Series, QFX Series standalone switches
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Verifying That DHCP Snooping Is Working Correctly
- Understanding DHCP Snooping for Port Security
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- class-of-service
- secure-access-port
