DHCP snooping builds and maintains a database of valid IP addresses assigned to downstream network devices by a trusted DHCP server. DHCP snooping reads the lease information, which is sent from the DHCP server to the individual DHCP clients
From this information it creates the DHCP snooping database. This database is a mapping between IP address, MAC address, Interface and the associated VLAN. When a DHCP client releases an IP address (by sending a DHCPRELEASE message), the associated mapping entry is deleted from the database.
DAI feature in EX series switches examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database.
Unless there is a change with newer versions, Junos OS allows you to enable DAI and IP-SG without enabling DHCP snooping. As you can see the potential problem in your scenario. Since DAI relies on the DHCP snooping database, f DHCP snooping is not enabled, then the database is not created. By default, Dynamic Arp Inspection is disabled for all VLANs on EX Series switches.
When DAI is enabled, Trunk ports are trusted , so ARP packets bypass DAI on those ports; access ports are untrusted so ARP packets on those ports are subjected to DAI.
IP source guard like DAI obtains information about IP address to MAC address bindings (IP-MAC binding) from the DHCP snooping table.
So you should always enable DHCP snooping if you plan to use any of these security features. Otherwise it will result in all kinds issues as you have experienced. BTW, are you using 802.1x?
"Also, on juniper swithces does just turing on dhcp-security on a vlan stop rogue dhcp servers"
Technically speaking it drops DHCP server messages on the untrusted ports. So the rogue DHCP server if it is connected to an access port, will still receive DHCP client messages, have its DHCP messages dropped so the clients will not get an IP from the rogue server.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
↧