Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure a trunk interface as untrusted for DHCP security. Trunk interfaces are trusted by default and all packets are allowed. You can override this default behavior and set a trunk interface as untrusted in order to support DHCP security features on the interface. DHCP snooping, DHCPv6 snooping, dynamic ARP inspection (DAI), and IPv6 neighbor discovery inspection are supported on trunk ports in untrusted mode.


On EX Series switches other than the EX9200, IP source guard and IPv6 source guard are not supported on untrusted trunk ports.

Configuring a trunk port as untrusted is useful in deployments where multiple DHCP clients are aggregated onto one interface on the access device. In this scenario, the interface is configured as a trunk interface with one or more VLANs. A DHCP client attached to a trunk interface might start acting as a DHCP server. Trusted ports allow DHCP servers to provide IP addresses and other information to requesting devices, which makes the network vulnerable to a rogue DHCP server attack.

An unauthorized DHCP server might also assign itself as the default gateway device for the network. An attacker can then sniff the network traffic and perpetrate a man-in-the-middle attack—that is, it misdirects traffic intended for a legitimate network device to a device of its choice. To mitigate this problem, you can configure the interface to which the unauthorized server is connected as untrusted, which blocks all ingress DHCP server messages from that interface.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 13.2.