Table of Contents
Advertisement
Complete Software Guide for Junos
Understanding Trusted DHCP Servers for Port Security on EX Series Switches
Related
Documentation
Understanding DHCP Option 82 for Port Security on EX Series Switches
DHCP Option 82 Processing
3064
®
OS for EX Series Ethernet Switches, Release 10.4
Any interface on the switch that connects to a DHCP server can be configured as a trusted
port. Configuring a DHCP server on a trusted port protects against rogue DHCP servers
sending leases.
Ensure that the DHCP server interface is physically secure—that is, that access to the
server is monitored and controlled at the site—before you configure the port as trusted.
Understanding DHCP Snooping for Port Security on EX Series Switches on page 3053
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 3073
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from
Rogue DHCP Server Attacks on page 3083
Enabling a Trusted DHCP Server (CLI Procedure) on page 3136
Enabling a Trusted DHCP Server (J-Web Procedure) on page 3136
You can use DHCP option 82, also known as the DHCP relay agent information option,
to help protect the switch against attacks such as spoofing (forging) of IP addresses and
MAC addresses, and DHCP IP address starvation. Hosts on untrusted access interfaces
on Ethernet LAN switches send requests for IP addresses in order to access the Internet.
The switch forwards or relays these requests to DHCP servers, and the servers send offers
for IP address leases in response. Attackers can use these messages to perpetrate address
spoofing and starvation.
Option 82 provides information about the network location of a DHCP client, and the
DHCP server uses this information to implement IP addresses or other parameters for
the client. The Juniper Networks Junos operating system (Junos OS) implementation of
DHCP option 82 supports RFC 3046, DHCP Relay Agent Information Option, at
http://tools.ietf.org/html/rfc3046.
This topic covers:
DHCP Option 82 Processing on page 3064
Suboption Components of Option 82 on page 3065
Configurations of the EX Series Switch That Support Option 82 on page 3066
If DHCP option 82 is enabled on the switch, then when a network device—a DHCP
client—that is connected to the switch on an untrusted interface sends a DHCP request,
the switch inserts information about the client's network location into the packet header
of that request. The switch then sends the request to the DHCP server. The DHCP server
reads the option 82 information in the packet header and uses it to implement the IP
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
