Juniper Switch Security pt 1 – DHCP Snooping

Full disclosure I’m on the ELS platform so the old fashioned ‘easy way’ is not available here. The task is to secure the switch using DHCP Snooping to protect ourselves against rogue DHCP servers popping up. When the feature is enabled, all access ports are ‘untrusted’ and all trunks are ‘trusted. My DHCP server is an SRX plugged into port ge-0/0/0 of the switch. Turning on the feature is not quite as straightforward as I hoped it would be.

Stage 1 – Activate DHCP Snooping
Actually you can’t just switch it on any more, you have to enable a feature in the DHCP-Security tree. I’ll use DAI (Dynamic Arp Inspection), but more on what that is later. The snooping is per VLAN so you need a VLAN in place ahead of time, or if you are lazy, just use the default.

set vlans default forwarding-options dhcp-security arp-inspection

Stage 2 – Create a Group
Bear in mind the DHCP server is in an access port and it is port 0/0/0 so will be blocking any DHCP goodness. So tp start the process of allowing a DHCP server to exist on an access port, we need to create a group and assign a port to the group.

set vlans default forwarding-options dhcp-security group MYDHCPSERVERS interface ge-0/0/0.0

Stage 3 – Set the Group to override the default behaviour
This stage actually makes the previously created group override the normal behaviour.

set vlans default forwarding-options dhcp-security group MYDHCPSERVERS overrides trusted

Stage 4 – Verify
In the ELS the verification is to look at the snooping database as below:

root> show dhcp-security binding 
IP address        MAC address         Vlan     Expires State   Interface       c8:2a:14:0a:1d:a6   default  85549   BOUND   ge-0/0/6.0          

The interface shown above (ge-0/0/6) is the port the test laptop is plugged into.

This entry was posted in Juniper and tagged , , , , , . Bookmark the permalink.