Ethernet Switching
Highlighted
Ethernet Switching

dhcp snooping in MX

‎03-14-2018 04:36 PM

For the life of me, I am unable to get dhcp snooping to work on a juniper MX 480.   We are using flexible-vlan-tagging and bridge-domains. I have tried setting one port to trusted, and another to untrusted, both to untrusted... and I already know that "trunk" ports are trusted by default and "access" ports are untrusted by default.  However, this seems to not matter on this setup. no matter which settings i enable (arp-inspection, option 82...) the command "show dhcp-security binding" is blank and dhcp continues to work. I need it to NOT work... per dhcp-snooping policy...
I will point out we are using an external dhcp server, not the server integrated into the juniper MX.
Is this a limitation of an MX? Has anyone attempted to use dhcp-security features on an MX?

22 REPLIES 22
Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 04:57 PM
Port level security options like dhcp-snooping are not part of MX feature set. These are EX (and some QFX) Access switch features.

Did you check feature explorer on Juniper Support web site?
Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 05:05 PM
Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 06:57 PM

I tried it and gave up and used the following.

forwarding-options {
helpers {
bootp {
relay-agent-option;
server 10.127.199.13;
interface {
irb.200;
irb.205;
irb.199;

 

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 08:08 PM

:/  So it didn't work for you either?  This is pretty disasterous...

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 09:53 PM

What release are you running? Would suggest to create a case and have JTAC take a look.

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

Thanks
Amit
Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-14-2018 10:46 PM

16.1R6-S2.3

That would be the next step. I'm not generally the type to just go to support for everything, but when it seems to be an issue, that is where i go.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-15-2018 02:26 AM

I tested this, quite sometime back, may be 14.x release. Here are the result, unfortunately don't have a setup for quick test now..

 

{master}[edit]
root@MX104-1# show bridge-domains bd1100
vlan-id 1100;
interface ge-1/1/2.1100;
routing-interface irb.1100;
forwarding-options {
dhcp-security {
arp-inspection;
ip-source-guard;
}
}

{master}[edit]
root@MX104-1# show interfaces ge-1/1/2.1100
encapsulation vlan-bridge;
vlan-id 1100;

{master}[edit]
root@MX104-1# show interfaces irb.1100
family inet {
address 192.0.1.254/24;
}
mac fa:ae:aa:cd:fb:ab;

{master}[edit]
root@MX104-1# show forwarding-options dhcp-relay
server-group {
AMIT_DHCP {
135.1.0.2;
}
}
group AMIT_DHCP {
active-server-group AMIT_DHCP;
interface irb.1100;
}

{master}[edit]
root@MX104-1#

{master}[edit]
root@MX104-1# run show dhcp relay binding detail

Client IP Address: 192.0.1.11
Hardware Address: 00:10:65:31:01:02
State: BOUND(RELAY_STATE_BOUND)
Lease Expires: 2018-03-15 15:32:36 UTC
Lease Expires in: 3446 seconds
Lease Start: 2018-03-15 14:32:36 UTC
Last Packet Received: 2018-03-15 14:32:36 UTC
Incoming Client Interface: irb.1100:ge-1/1/2.1100
Server Ip Address: 135.1.0.2
Server Interface: none
Bootp Relay Address: 192.0.1.254
Session Id: 21
Client IP Address: 192.0.1.10
Hardware Address: 00:10:65:31:01:03
State: BOUND(RELAY_STATE_BOUND)
Lease Expires: 2018-03-15 15:32:36 UTC
Lease Expires in: 3446 seconds
Lease Start: 2018-03-15 14:32:36 UTC
Last Packet Received: 2018-03-15 14:32:36 UTC
Incoming Client Interface: irb.1100:ge-1/1/2.1100
Server Ip Address: 135.1.0.2
Server Interface: none
Bootp Relay Address: 192.0.1.254
Session Id: 20
Client IP Address: 192.0.1.12
Hardware Address: 00:11:64:31:01:02
State: BOUND(RELAY_STATE_BOUND)
Lease Expires: 2018-03-15 15:30:08 UTC
Lease Expires in: 3298 seconds
Lease Start: 2018-03-15 14:30:08 UTC
Last Packet Received: 2018-03-15 14:30:08 UTC
Incoming Client Interface: irb.1100:ge-1/1/2.1100
Server Ip Address: 135.1.0.2
Server Interface: none
Bootp Relay Address: 192.0.1.254
Session Id: 19

{master}[edit]
root@MX104-1# run show dhcp-security binding ip-source-guard
IP address MAC address Vlan Expires State Interface
192.0.1.10 00:10:65:31:01:03 bd1100 3437 BOUND ge-1/1/2.1100
192.0.1.11 00:10:65:31:01:02 bd1100 3437 BOUND ge-1/1/2.1100
192.0.1.12 00:11:64:31:01:02 bd1100 3290 BOUND ge-1/1/2.1100
192.0.1.13 00:10:65:31:01:02 bd1100 2856 BOUND ge-1/1/2.1100

{master}[edit]
root@MX104-1#

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

Thanks
Amit
Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-15-2018 05:21 AM

This is dhcp-relay.. though, not actually dhcp-snooping it could work. I would have to make a few changes to my setup.  Real dhcp-snooping should operate with the dhcp server and the dhcp clients in the same vlan.  But thank you for the example. Trying dhcp-relay was my next "fix" for the shortcoming.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-15-2018 06:02 AM

Maybe a better way to approach your situation is to tell us what you are trying to accomplish, not what you are trying to configure - yes?

 

In meantime, I will try to do some checking on Port-Level security features on MX.  BTW, what exact MX HW and SW are you using?  This could well be related to what you are seeing.  For example, IF Port-Level security features are support on MX, there would 1) need to min SW level (looks like 14.1R1 except for latest MX models) and 2) I doubt very much this support is there on say DPC modules.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-15-2018 07:03 AM

I will do my best to explain better. I am trying to accomplish dhcp snooping. 

More details are... I need clients that are on multiple layer 2 domains (vlans, bridge-domains, etc) to be able to get ip addressing via dhcp servers on those networks, but not be able to become dhcp servers on those networks. This is what dhcp-snooping is for. Generally you have a vlan which has dhcp snooping enabled. Then you have a trusted dhcp server, or a list of trusted dhcp servers.  And you almost always have a port or list of ports that are trusted for dhcp snooping, all other ports on that vlan are considered "untrusted" and cannot home dhcp servers. 

This is not to be confused with dhcp relay which takes dhcp broadcasts and forwards them as unicast to a server which is not on the same layer 2 domain.  (dhcp relay is intended to overcome the issue of having an offsite (not on the same lan segment) dhcp server where the broadcasts from the intended network cannot reach)

More information is listed in the juniper documentation, and the part I am facing is the portion anchored at the top as "DHCP Server Access" > "Switching Device, DHCP Clients, and DHCP Server Are All on the Same VLAN". Here is the doc:

https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-dhcp-snooping.html

Cisco does this, brocade does this, HP/Aruba does this, Fortinet, Adtran...  I would be amazed if i cannot do this on a Juniper MX.  I just cannot figure out where this is going wrong.

Now, I am not above doing this with dhcp relay if I must, but I am more concerned that my "rogue" test dhcp server is able to serve clients even when i have both interfaces set to "override untrusted" in the MX...

 

{master}[edit bridge-domains vlan-1002]
forwarding-options {
    dhcp-security {
        arp-inspection;
        ip-source-guard;
        group TEST {
            overrides {
                untrusted;
            }
            interface ge-4/0/0.0;
        }
        group untrust {
            overrides {
                untrusted;
            }
            interface xe-0/1/0.1002;
        }
        option-82 {
            circuit-id;
        }
    }
}

(please note, the "option-82 circuit-id" portion is simply to try to get dhcp snooping working as stated in the documention)

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/dhcp-secu...

Description

Configure port security features on the switching device. DHCP snooping is enabled automatically if you configure any of the following port security features within this hierarchy:

    Dynamic ARP inspection (DAI)
    IP source guard
    DHCP option 82
    Static IP

The remaining statements are explained separately. See CLI Explorer.

But no matter what i enable, i see no results in show dhcp-security <anything at all>. Just blank. This is where I believe there must be a misconfiguration.  If I had any bindings at all, or even any statistics, then I would be able to say "it doesnt work" or "I missed this part" or "This is working" or "Juniper MX cannot do this". But with blank information in the output, there must be something missing.

Here is my current state:

ge-4/0/0 is the interface facing my dhcp client.  xe-0/1/0.1002 is the interface facing my dhcp server. bridge-domains match vlan IDs. Untagged interface to the client, tagged interface to the server, but trusted has been "overridden" per documentation to untrust. DHCP should NOT work at this point, if configured right.  I set the lease time on the dhcp server to 60 seconds for testing.

re0> show configuration interfaces ge-4/0/0 
unit 0 {
    family bridge {
        interface-mode access;
        vlan-id 1002;
    }
}


re0> show configuration interfaces xe-0/1/0              
description "vlan 1002 to dhcp server";
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
.
.
.
unit 1002 {
    encapsulation vlan-bridge;
    vlan-id 1002;
}
.
.
.

re0> show configuration bridge-domains vlan-1002 
description test-dhcp-snooping;
vlan-id 1002;
interface xe-0/1/0.1002;
interface xe-1/1/0.1002;
routing-interface irb.1002;
forwarding-options {
    dhcp-security {
        arp-inspection;
        group TEST {
            overrides {
                untrusted;
            }
            interface xe-0/1/0.1002;
            interface ge-4/0/0.0;
        }
        option-82 {
            circuit-id;
        }
    }
}
re0> show dhcp-security arp inspection statistics 

{master}
re0> show dhcp-security arp inspection statistics 

{master}
re0> show dhcp-security binding 

{master}
re0> show dhcp-security statistics 

DHCP messages:
-------------
Total                                   0
Discover                                0
Offer                                   0
Request                                 0
Decline                                 0
Ack                                     0
Nack                                    0
Release                                 0
Inform                                  0
Force renew                             0
Renew                                   0
Rebind                                  0

Packets dropped:
---------------
Total                                   0
No configuration                        0
No VLAN                                 0
No interface                            0
Request on trusted port                 0

{master}


I hope this is enough information and better explains what I am trying to accomplish, and likewise, what I have had running and in place for years on other vendor equipment.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-15-2018 07:10 AM

I left out the software and hardware, I apologize.

re0> show version
Hostname: MX480re0
Model: mx480
Junos: 16.1R6-S2.3

 

I am running RE-S-1800x4, 2 of them
2 x DPCE 4x 10GE R
1 x DPCE 40x 1GE R

If this is "unsupported" on these cards, shouldn't that be documented somewhere? 

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-18-2018 06:51 AM

Yes, this should be, and I will look into this.  In the meanwhile I am 99% sure this functionality is NOT supported on older DPCE modules, only newer MPC.  I will check is there is any limitation on the various MPC models, as well.

 

Regards

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-18-2018 12:21 PM

If you do come up with information on this not being supported on some cards, I would appreciate that.  I will continue through digging in the meantime, but as fart as I can tell, a bridge domain is completely useless on these cards if you literally cannot use ANY layer 2 security features...

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-18-2018 03:10 PM

BTW, did you open a case on this with TAC?  I would assume you have support on an MX.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-19-2018 05:49 AM

I may do that.  In the meantime, 15 other vendors do what the MX can't. So I have a work around.  Just annoyed at the juniper documentation error.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

[ Edited ]
‎03-19-2018 12:30 PM

elivaughan - I do understand your frustration, and can only say that Juniper is trying to improve their documentation every day.  As for those 15 other vendors, I fully expect that the MX can do a lot more networking functions, outside of Port Level Security on DPCE modules, than those 15 vendors can; there are always trade-offs.  Especially in the time frame that DPCE modules were the standard bearer, I believe MX was almost never used at access layer of network, and most likely is still not often used there, due primarily price per port.  In general it is Juniper devices like EX, where Port Level Security is performed.

 

This is not an excuse for not documenting this behavior fully, which I am still looking into.  I suggested a case so that TAC or someone within Juniper Engg could confirm 100% that this functionality is NOT there with DPCE based cards.  I am making a best guess on this.

 

As well, this functionality was added in Junos 14.1R1, which came out July 2014.  This is 1st time I have heard of any complaint in regards to this feature, and it has been out more than 3.5 years.  Again, not an excuse, but a fact.

 

Best Regards.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-22-2018 06:07 AM

You could very well be correct. These are older line cards, so that could actually be the reason for the documentation lagging the feature.  Which is fine, as long as that is the case. I'll buy new cards.  But i would need to know which cards would support this. I can have a discussion with my sales guys, though.

I think my biggest issue is...  If the MX doesn't support this on these cards, then that means there was a time when there was literally no way to perform layer 2 security on the MX.  Bridge domains have been supported since version 9.x, maybe even before.

I'll try to figure out which cards do support this feature.

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

[ Edited ]
‎03-24-2018 09:18 PM

try adding the IRB.1002 as a "TRUSTED" interface, this was an issue for me.

i'm using MX104,

your cards may allso be an issue.

 

btw, Option82 didnt work for me on dhcp-security, only on dhcp-relay.

 

 

Highlighted
Ethernet Switching

Re: dhcp snooping in MX

‎03-25-2018 03:52 AM

On the MX when doing dhcp relay via a bridge domain and irb interface you need to have broadcast flood enabled so that all hte bridged interfaces can communicate for the relay sessions.

 

Enable broadcast on the IRB interface to flood discovery frames from all physical interfaces in the bridge domain. For example,

user@host# edit forwarding-options helpers bootp interface irb.o
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home