Workaround to enable DHCP Snooping in Juniper ELS CLI

DHCP Snooping allows a network device to monitor the DHCP messages received from untrusted devices connected to the network device. The DHCP Snooping is enabled per VLAN and the router or the switch where DHCP snooping is enabled checks the DHCP messages received from untrusted devices from that VLAN and builds the DHCP snooping database that has information about the untrusted host IP address, MAC address, lease time, interface where is connected. The hosts that require access to the network has to pass the verification against the DHCP Snooping database.




Currently there is no direct CLI knob in Enhanced Layer 2 Software (ELS) to enable DHCP Snooping.

In non-ELS configuration style, DHCP Snooping for both IPv4 and IPv6 is enabled like this:


root@SWITCH-TEST# show ethernet-switching-options
secure-access-port {
    vlan VLAN100 {



That was for a specific VLAN, but you can enable DHCP Snooping for all VLANs at once using “all” instead the VLAN name.

Keep in mind that the command to enable DHCPv6 Snooping is available starting with 14.1X53-D10 on EX switches.

There is a workaround in ELS that is not easily seen and that is to use “overrides” knob.

This has to be done per VLAN:


root@EX4300-VC# show vlans | no-more
VLAN100 {
    vlan-id 100;
    l3-interface irb.100;
    forwarding-options {
        dhcp-security {
            group DHCP {
                overrides {



Until there will be a specific knob to configure DHCP Snooping on ELS, you can use this workaround.

I hope you found this post useful.


The following two tabs change content below.

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.


So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *


%d bloggers like this: