I will do my best to explain better. I am trying to accomplish dhcp snooping.
More details are... I need clients that are on multiple layer 2 domains (vlans, bridge-domains, etc) to be able to get ip addressing via dhcp servers on those networks, but not be able to become dhcp servers on those networks. This is what dhcp-snooping is for. Generally you have a vlan which has dhcp snooping enabled. Then you have a trusted dhcp server, or a list of trusted dhcp servers. And you almost always have a port or list of ports that are trusted for dhcp snooping, all other ports on that vlan are considered "untrusted" and cannot home dhcp servers.
This is not to be confused with dhcp relay which takes dhcp broadcasts and forwards them as unicast to a server which is not on the same layer 2 domain. (dhcp relay is intended to overcome the issue of having an offsite (not on the same lan segment) dhcp server where the broadcasts from the intended network cannot reach)
More information is listed in the juniper documentation, and the part I am facing is the portion anchored at the top as "DHCP Server Access" > "Switching Device, DHCP Clients, and DHCP Server Are All on the Same VLAN". Here is the doc:
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-dhcp-snooping.html
Cisco does this, brocade does this, HP/Aruba does this, Fortinet, Adtran... I would be amazed if i cannot do this on a Juniper MX. I just cannot figure out where this is going wrong.
Now, I am not above doing this with dhcp relay if I must, but I am more concerned that my "rogue" test dhcp server is able to serve clients even when i have both interfaces set to "override untrusted" in the MX...
{master}[edit bridge-domains vlan-1002]
forwarding-options {
dhcp-security {
arp-inspection;
ip-source-guard;
group TEST {
overrides {
untrusted;
}
interface ge-4/0/0.0;
}
group untrust {
overrides {
untrusted;
}
interface xe-0/1/0.1002;
}
option-82 {
circuit-id;
}
}
}(please note, the "option-82 circuit-id" portion is simply to try to get dhcp snooping working as stated in the documention)
Description
Configure port security features on the switching device. DHCP snooping is enabled automatically if you configure any of the following port security features within this hierarchy:
Dynamic ARP inspection (DAI)
IP source guard
DHCP option 82
Static IP
The remaining statements are explained separately. See CLI Explorer.But no matter what i enable, i see no results in show dhcp-security <anything at all>. Just blank. This is where I believe there must be a misconfiguration. If I had any bindings at all, or even any statistics, then I would be able to say "it doesnt work" or "I missed this part" or "This is working" or "Juniper MX cannot do this". But with blank information in the output, there must be something missing.
Here is my current state:
ge-4/0/0 is the interface facing my dhcp client. xe-0/1/0.1002 is the interface facing my dhcp server. bridge-domains match vlan IDs. Untagged interface to the client, tagged interface to the server, but trusted has been "overridden" per documentation to untrust. DHCP should NOT work at this point, if configured right. I set the lease time on the dhcp server to 60 seconds for testing.
re0> show configuration interfaces ge-4/0/0
unit 0 {
family bridge {
interface-mode access;
vlan-id 1002;
}
}
re0> show configuration interfaces xe-0/1/0
description "vlan 1002 to dhcp server";
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
.
.
.
unit 1002 {
encapsulation vlan-bridge;
vlan-id 1002;
}
.
.
.
re0> show configuration bridge-domains vlan-1002
description test-dhcp-snooping;
vlan-id 1002;
interface xe-0/1/0.1002;
interface xe-1/1/0.1002;
routing-interface irb.1002;
forwarding-options {
dhcp-security {
arp-inspection;
group TEST {
overrides {
untrusted;
}
interface xe-0/1/0.1002;
interface ge-4/0/0.0;
}
option-82 {
circuit-id;
}
}
}
re0> show dhcp-security arp inspection statistics
{master}
re0> show dhcp-security arp inspection statistics
{master}
re0> show dhcp-security binding
{master}
re0> show dhcp-security statistics
DHCP messages:
-------------
Total 0
Discover 0
Offer 0
Request 0
Decline 0
Ack 0
Nack 0
Release 0
Inform 0
Force renew 0
Renew 0
Rebind 0
Packets dropped:
---------------
Total 0
No configuration 0
No VLAN 0
No interface 0
Request on trusted port 0
{master}
I hope this is enough information and better explains what I am trying to accomplish, and likewise, what I have had running and in place for years on other vendor equipment.