[j-nsp] Juniper QFX-5100 DHCP Snooping & Trunk Ports

Brant Ian Stevens branto at argentiumsolutions.com
Fri Sep 1 10:15:34 EDT 2017

By default, the QFX-5100 automatically trusts trunk ports for DHCP 
server responses, and while useful for some scenarios, I need to have it 
disabled, but seems to be an unsupported platform (running 17.3).

Being able to set interfaces as trusted/untrusted seems so fundamental, 
IMO. Seems like a serious oversight!

Aside from creating a firewall-filter for blocking DHCP inbound from the 
edge ports, what other options are there?

vl1000-foo {
     vlan-id 1000;
     l3-interface irb.1000;
     forwarding-options {
         dhcp-security {
             group vl1000-foo-ports {
                 overrides {
                     ## Warning: statement ignored: unsupported platform 
                 interface ge-0/0/0.0;
                 interface ge-0/0/1.0;
                 interface ge-0/0/24.1000;
                 interface xe-0/0/36.1000;
                 interface ge-0/0/46.0;
     switch-options {
         inactive: interface-mac-limit {
             packet-action drop-and-log;

More information about the juniper-nsp mailing list