Ethernet Switching
Showing results for 
Search instead for 
Do you mean 
Reply
Regular Visitor
Posts: 9
Registered: ‎04-22-2012
0 Kudos

DHCP Snooping Binding on EX8208

Can anybody help me to make DHCP Snooping Bindings work on EX8208 ? We have some EX8208s running JunOS 15.1R5.5 version, but tried to activate it before on 14 and 13 JunOS and all the time we were unable to get it working as it should... 

 

I have attached our topology, and I want to explain a little bit, how our network works:

Hosts are connected in an access switch which inserts Options82 in DHCP packets, then EX8208 is acting as a DHCP Relay and relays dhcp packets to DHCP Server. On EX we have configured bootp as following:

 

show configuration forwarding-options helpers 
bootp {
    relay-agent-option;
    server 10.1.1.1
    server 10.2.2.2
    interface {
        vlan.55;
        vlan.56;
        vlan.61;
        vlan.67;
        vlan.70;

 

 

I've tried to confiure

set ethernet-switching-options secure-access-port vlan VLANxxx examine-dhcp

 

On thus vlans which are configured with relay, but it didn't work.. What I've noticed is that when hosts obtain IP through DHCP, in dhcp snooping bindings table I see a bind, but it has lease time of 4 seconds(actually we have a least time equal to 3 days), and it shows me my uplink interface(interface to DHCP Server) not the downlink interface which is going to the client:

 

show dhcp snooping binding
DHCP Snooping Information:
MAC Address             IP Address Lease   Type     VLAN    Interface
-----------------       ---------- -----   -------  ----    ---------
xx:xx:xx:xx:xx:xx       192.0.2.0  4      dynamic   VLAN55  xe-0/0/1.0

 

 

I think that the problem is that EX see all ports as trusted, while hosts ports should be untrusted,but if I set downlink port ge-4/0/4 as untrasted, then it is dropping DHCP packets with Options82... I've noticed the same on Cisco switches, but there is a command something like "dhcp snooping information options allow-untrusted", here I can't see such a command..

 

Does anybody know what is the problem ? And how to make DHCP Snooping Bindings works properly as we want to enable IP Source Guard and Dynamic Arp Inspection for security.

Regular Visitor
Posts: 9
Registered: ‎04-22-2012
0 Kudos

Re: DHCP Snooping Binding on EX8208

Someone managed to get DHCP Snooping Bindings work on the EX8208 ?!

Trusted Contributor
Posts: 98
Registered: ‎03-10-2009
0 Kudos

Re: DHCP Snooping Binding on EX8208

HI 

 

By default all access ports are untrusted. You can make the port going towards the server trusted.


Can you add that configuration and check. Because the snooping binding table takes the lease information from the ACK packet.

 

Thanks

Partha

Regular Visitor
Posts: 9
Registered: ‎04-22-2012
0 Kudos

Re: DHCP Snooping Binding on EX8208

Hi Partha,

 

I attached our topology in my first post here, if you take a look there, you can see that our EX8208's port that is connected to our Layer3 network is a trunk port(also this is the interface which goes to DHCP Server) so it is a trusted port. We don't have any access ports on EX, all the ports, either which are going up to DHCP server or down to our clients, are both trunk ports.