Configure DHCP Snooping for Switches with Mist Wired Assurance

DHCP Snooping: DHCP snooping enables a switching device to examine all the DHCP traffic initiated from the untrusted ports on the network. When DHCP snooping is enabled on a VLAN, the system examines DHCP messages sent from untrusted hosts associated with the VLAN and extracts their IP addresses and lease information. This information is used to build and maintain the DHCP snooping database. Only hosts that can be verified using this database are allowed access to the network.

[Note: By default, access ports are treated as an untrusted port and Trunk Ports are treated as trusted ports.]

There are three places where you can configure the DHCP Snooping/ARP Inspection/IP Source Guard also from the UI.

a.) Switch Device Details page

b.) Network → Switch Configuration page

c.) Organization → Switch Templates.

The priority will be Switch Device Detail page > Network → Switch Configuration page > Organization → Switch Templates.

Here below is the example where you can enable the above configuration for the Single network. There are two options you can enable for the all networks / Single networks as per your requirement.

In the example below we are enabling DHCP snooping for Single network → Vlan24(vlan-id-24).

The VLAN should be present on the switch to take the config effect. so that’s why we need add the port to the Port_profile.

For the Access port_profile we have the options to make it Trusted and Untrusted . if it’s not set it will be on Default. Port _network can be simple network or VoIP Network.

Trunk port by default always trusted.

In the example below we make the access -port as trusted.

The Port_profile to the port would be as below:

We have the option for the Override site/Template settings for DHCP snooping from the Site settings and Device settings:

Site settings:

Device settings:

We have the options for overriding the Trusted /Untrusted/default options for port_profile from the Site settings and device settings:

Site settings:

Device settings:

Command to configure DHCP Snooping:

set vlans default forwarding-options dhcp-security

Command to check the DHCP Snooping table:

show dhcp-security binding

We can also go to the below document for more Information:

https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/concept/port-security-dhcp-snooping-els.html