Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Port Security to Protect Access Ports on the Device Against Loss of Information and Productivity (CLI Procedure)


Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. The Dynamic Host Configuration Protocol (DHCP) port security features help protect the access ports on the device against the loss of information and productivity that can result from such attacks.

The following port security features are supported for DHCPv4 and MX Series routers:

  • DHCP snooping

  • DAI (dynamic ARP inspection)

  • IP source guard

  • DHCP option 82

DHCP snooping is disabled in the default configuration. There is no explicit configuration for enabling DHCP snooping. However, if you configure any other port security features for a bridge domain at the [edit vlans vlan-name forwarding-options dhcp-security]or the [edit bridge-domain bridge-domain-name forwarding-options dhcp-security] hierarchy level, then DHCP snooping is automatically enabled on that bridge domain.

DAI, neighbor discovery inspection, IP source guard, and DHCP option 82 are configured per bridge domain. You must configure a bridge domain prior to configuring these DHCP port security features. See Configuring a Bridge Domain.

The DHCP port security features that you specify for the bridge domain apply to all included interfaces. However, you can create a specific group of access interfaces within the bridge domain to have different attributes, such as:

  • Specifying a specific interface to have a static IP-MAC address (static-ip)

  • Specifying an access interface to act as a trusted interface to a DHCP server (trusted)

  • Specifying a specific interface not to transmit DHCP (no-option82)

  • If you configure any of these DHCP port security features—including configuring a group of access interfaces—for a specific bridge domain, the software automatically enables DHCP snooping for that bridge domain.

  • If you explicitly disable DHCP snooping by setting no-dhcp-snooping for a specific bridge domain, the software automatically disables any other DHCP port security features for that bridge domain.


Trunk interfaces are trusted by default. However, you can override this default behavior and set a trunk interface as untrusted.