STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide

V-253959

CAT II (Medium)

The Juniper EX switch must be configured to enable DHCP snooping for all user VLANs with active access interfaces to validate DHCP messages from untrusted sources.

Rule ID

SV-253959r1212011_rule

STIG

Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-002385

Discussion

In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host (i.e., access) interfaces and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted interface is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the interface a DHCP server is connected to and not trust the other interfaces. The DHCP snooping feature validates DHCP messages received from untrusted sources, filters out invalid messages, and rate-limits DHCP traffic from trusted and untrusted sources. The DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all user-facing or untrusted VLANs with active access interfaces.

Check Content

Review the switch configuration and verify that DHCP snooping is enabled on all user-facing or untrusted VLANs with active access interfaces. 

DHCP snooping is enabled if dhcp-security is configured for any VLAN, and is automatically enabled whenever any other VLAN port security feature is configured (e.g., IP Source Guard or Dynamic ARP Inspection). 

Devices such as printers, servers, and VoIP phones are under administrative control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in nonuser-facing VLANs. Trunked interfaces are trusted sources.

Verify DHCP snooping on user-facing or untrusted VLANs is configured with active access interfaces.

[edit vlans]
<untrusted VLAN name> {
    vlan-id <VLAN ID>;
    forwarding-options {
        dhcp-security;
    }
}

This check is not applicable to switches configured with user-facing or untrusted VLANs merely for inclusion in trunks (e.g., core or distribution switch without access interfaces assigned to user-facing or untrusted VLANs).

If the switch does not have DHCP snooping enabled for all user-facing or untrusted VLANs with active access interfaces to validate DHCP messages from untrusted sources, this is a finding.

Fix Text

Configure the switch with DHCP snooping for all user-facing or untrusted VLANs with active access interfaces to validate DHCP messages from untrusted sources.

1. Enter configuration mode.
2. Configure user-facing or untrusted VLANs with active access interfaces with DHCP snooping.
3. Commit the configuration.

user@host> configure
Entering configuration mode

user@host# set vlans <untrusted VLAN name> vlan-id <untrusted VLAN ID>

user@host# set vlans <untrusted VLAN name> forwarding-options dhcp-security

user@host# commit
commit complete