Switching

hi guys,

     in my network environment now we have a pair of EX 4500 running on VC (Core Switch) and EX 4200 running on VC as well (2 stacks as edge switch) , connected and interfacing with EX 4500.

     what i want to do now is to configure DHCP Snooping and DAI (dynamic ARP inspection) to prevent man-in the middle attacks.

     Do i have to configure DHCP snooping and DAI on both the EX 4500 and 4200s? i assume i will need to set examine dhcp and arp inspection for all of my 20 vlans?

You need to configure security features only on the edge switch(where the potential attackers are connected).

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Reggaez,

As per your scenario you should configure the DHCP-snooping & DAI  on EX-4200 switches(edge-switches).

and the command for configuring the DHCP-snooping & DAI  is,

#set ethernet-switching-options secure-access-port vlan <vlan-name> arp-inspection

#set ethernet-switching-options secure-access-port vlan <vlan-name> examine-dhcp

Hi suresh,

     thanks for the info. now i have another question,  the DHCP server is running on a Hyper-V server and is connected to a Server Farm switch (CISCO 3750) , in this scenario, where do i set the trusted port for the DHCP snooping?

    right now the setup is 

 EX 4200 (Access Switches) ---> EX 4500 (Core) ---> Cisco 3750 (Server Farm) ----> DHCP Server.

    do i set the trusted port at Cisco 3750? or i still need to set the trusted port at the core switch as well?

The trunk ports connecting the access to the core and core to CISCO are DHCP trusted already.