Ethernet Switching
Ethernet Switching

QFX5100 and DHCP snooping

‎01-24-2018 03:17 AM

Hi!

 

I have:

QFX5100-48S-6Q

Junos: 17.4R1.16

 

I want to configure DHCP snooping for protect my network from other DHCP servers...

I use this guide: https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/qfx-series/secu...

 

But I don't see any working config.

QFX5100 support DHCP snooping ?

 

am> show dhcp?  
Possible completions:
  dhcp                 Show Dynamic Host Configuration Protocol information
  dhcp-security        Show DHCP access security information
  dhcpv6               Show Dynamic Host Configuration Protocol v6 information
{master:0}
am> show dhcp ? 
Possible completions:
  client               Show DHCP client information
  relay                Show DHCP relay information
  server               Show DHCP server information
  statistics           Show DHCP service statistics
{master:0}[edit]
am# set et
        ^
syntax error.
am# set et 
9 REPLIES 9
Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 06:09 AM

Per this it should be there - https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1039&fn=DHCP%20snooping

 

See here for details on how to configure - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-security-dhcp-snoop...

 

QFX51xx and EX4600 have different CLI structure than EX4300/EX3400/EX2300, that is other EX ELS switches. 

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 06:17 AM

Hello,

 

But a dont have ethernet-switching-options:

 

am> configure 
Entering configuration mode

{master:0}[edit]
am# set et
        ^
syntax error.
am# set et 
Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 06:23 AM

Can you look under edit vlans vlan-name forward-options - is dhcp-snooping an option there?

 

Thanks

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 06:37 AM

I have this output:

 

am# set vlans DATA forwarding-options dhcp-security ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  arp-inspection       Enable dynamic ARP inspection
> dhcpv6-options       DHCPv6 option processing for snooped packets
> group                Define a DHCP security group for overriding defaults
  ip-source-guard      Enable IP source guard
  ipv6-source-guard    Enable IPv6 source guard
  light-weight-dhcpv6-relay  Enable light weight dhcpv6 relay
  neighbor-discovery-inspection  Enable neighbor discovery inspection
  no-dhcp-snooping     Disable dhcp snooping
  no-dhcpv6-snooping   Disable DHCPv6 snooping
> option-82            DHCP option-82 processing for snooped packets
  |                    Pipe through a command

I did something like this:

 

 

set vlans DATA vlan-id 500
set vlans DATA l3-interface irb.500
set vlans DATA forwarding-options dhcp-security group TRUST overrides trusted
set vlans DATA forwarding-options dhcp-security group TRUST interface xe-0/0/0.0
set vlans DATA forwarding-options dhcp-security group NO-TRUST interface ge-0/0/10.0
set vlans VOIP vlan-id 770
set vlans VOIP l3-interface irb.770

set interfaces xe-0/0/0 description -=Servers=-
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members DATA
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members VOIP
set interfaces ge-0/0/10 description -=Clients_Sherbakova2=-
set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members DATA
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VOIP

 

I need xe-0/0/0.0 - TRUST and other (ge-0/0/10.0, etc.) - UNTRUST.

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 06:43 AM

Port-mode trunk is trust by default, port-mode access is untrust by default.

 

You all set now?  I will look to get documentation fixed.

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-24-2018 07:29 AM

How can I change default role for Trunk ports?
In my network I have only 2 Trunk ports with DHCP servers...

 

All other trunk and access port must be UNTRUSTED.

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-25-2018 12:17 AM

Hi,

 

I have not solved the issue.

 

How to do UNTRUST for TRUNK ports?

Ethernet Switching
Solution
Accepted by topic author am@itboz.com.ua
‎01-25-2018 05:36 AM

Re: QFX5100 and DHCP snooping

‎01-25-2018 05:36 AM

I tested next config :

 

 

am> show configuration vlans                  
DATA {
    vlan-id 500;
    l3-interface irb.500;
    forwarding-options {
        dhcp-security {
            group TRUST {
                overrides {
                    trusted;
                }
                interface ge-0/0/20.0;
            }
            group UNTRUST {
                overrides {
                    ##
                    ## Warning: statement ignored: unsupported platform (qfx5100-48s-6q)
                    ##
                    untrusted;
                }
                interface ge-0/0/21.0;
            }
        }
    }
}

But this dont work to..

 

 

So. I have answer from JTAC: "The warning is self explanatory. It is not supported on QFX5100. This is a product limitation."

Ethernet Switching

Re: QFX5100 and DHCP snooping

‎01-25-2018 06:44 AM

What was your JTAC case number, please?  Many thanks.