[j-nsp] Juniper QFX-5100 DHCP Snooping & Trunk Ports
Brant Ian Stevens
branto at argentiumsolutions.com
Fri Sep 1 10:15:34 EDT 2017
By default, the QFX-5100 automatically trusts trunk ports for DHCP
server responses, and while useful for some scenarios, I need to have it
disabled, but seems to be an unsupported platform (running 17.3).
Being able to set interfaces as trusted/untrusted seems so fundamental,
IMO. Seems like a serious oversight!
Aside from creating a firewall-filter for blocking DHCP inbound from the
edge ports, what other options are there?
vl1000-foo {
vlan-id 1000;
l3-interface irb.1000;
forwarding-options {
dhcp-security {
arp-inspection;
ip-source-guard;
neighbor-discovery-inspection;
ipv6-source-guard;
group vl1000-foo-ports {
overrides {
##
## Warning: statement ignored: unsupported platform
(qfx5100-48s-6q)
##
untrusted;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface ge-0/0/24.1000;
interface xe-0/0/36.1000;
interface ge-0/0/46.0;
}
}
}
switch-options {
inactive: interface-mac-limit {
5;
packet-action drop-and-log;
}
}
}
More information about the juniper-nsp
mailing list