Example for Configuring MLAG with DHCP Snooping

Owned by Tracy Yang (Unlicensed)
Apr 26, 2023
7 min read

Networking Requirements

Figure 1 User Configuration Topology of MLAG with DHCP Snooping

As shown in Figure 1, Switch 1 and Switch 2 are Layer 2 switches and form a pair of MLAG peer devices. The DHCP client is connected to Switch3 which is dual-homed to the MLAG network. The DHCP server is connected to Switch4 which is dual-homed to the MLAG network. In the MLAG topology, to provide better services to DHCP client, the network administrator can configure DHCP snooping on Switch1, Switch2, Switch3 and Switch4, to defend against DHCP attacks.

When configuring the network, you need to pay attention to the following points:

  • Switch3 is dual-homed to MLAG peer devices Switch 1 and Switch 2, the link ID is 1. Switch 4 is dual-homed to Switch 1 and Switch 2, the link ID is 2.
  • DHCP snooping configuration should be identical on both MLAG peer devices.
  • The peer link port should be configured as trust port on demand.
  • On Switch1, Switch2, Switch3 and Switch4, configure the interfaces in the direction of the DHCP server as DHCP snooping trusted interfaces.

Procedure

Switch1

Step1         Configure the VLANs.

                   admin@Switch1# set vlans vlan-id 10

                   admin@Switch1# set vlans vlan-id 4088 l3-interface vlan4088

                   admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching native-vlan-id 4088

                   admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching port-mode trunk

                   admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching vlan members 10

                   admin@Switch1# set interface aggregate-ethernet ae71 family ethernet-switching port-mode trunk

                   admin@Switch1# set interface aggregate-ethernet ae71 family ethernet-switching vlan members 10

                   admin@Switch1# set interface aggregate-ethernet ae72 family ethernet-switching port-mode trunk

                   admin@Switch1# set interface aggregate-ethernet ae72 family ethernet-switching vlan  members 10

Step2         Configure aggregation interfaces with LACP mode.

   admin@Switch1# set interface aggregate-ethernet ae71 aggregated-ether-options lacp enable true

   admin@Switch1# set interface aggregate-ethernet ae72 aggregated-ether-options lacp enable true

Step3         Add member interfaces to a LAG.

                   admin@Switch1# set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad ae48

                   admin@Switch1# set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad ae48

                   admin@Switch1# set interface gigabit-ethernet te-1/1/41 ether-options 802.3ad ae71

                   admin@Switch1# set interface gigabit-ethernet te-1/1/42 ether-options 802.3ad ae72

Step4         Configure an MLAG domain ID.

   admin@Switch1# set protocols mlag domain 10

   NOTE: Currently, only one MLAG domain is allowed to be configured on one MLAG device.

Step5         Specify Switch1 as MLAG Node 0.

   admin@Switch1# set protocols mlag domain 10 node 0

Step6         Configure the peer IP address and peer link port.

   admin@Switch1# set protocols mlag domain 10 peer-ip 10.10.0.2 peer-link ae48

   NOTE: Peer-link port should be configured as a LAG port.

Step7         Configure the L3 interface IP address for peer link port on local MLAG peer device.

                   admin@Switch1# set l3-interface vlan-interface vlan4088 address 10.10.0.1 prefix-length 24

Step8         Configure link ID for the MLAG member port.

                   admin@Switch1# set protocols mlag domain 10 interface ae71 link 1

                   admin@Switch1# set protocols mlag domain 10 interface ae72 link 2

    NOTE: The paired MLAG member ports must be bound to the same MLAG link ID.

Step9         Configure MLAG peer VLAN.

   admin@Switch1# set protocols mlag domain 10 peer-ip 10.10.0.2 peer-vlan 4088

Step10        Enable DHCP snooping function.

    admin@Switch1# set protocols dhcp snooping vlan 10 disable false

Step11        Configure the interface connected to the DHCP server and peer-link port as DHCP snooping trusted interfaces.

    admin@Switch1# set protocols dhcp snooping trust-port ae48

    admin@Switch1# set protocols dhcp snooping trust-port ae72

Step12        Commit the configuration.

            admin@Switch1# commit

Switch2

Step1         Configure the VLANs.

                   admin@Switch2# set vlans vlan-id 10

                   admin@Switch2# set vlans vlan-id 4088 l3-interface vlan4088

                   admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching native-vlan-id 4088

                   admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching port-mode trunk

                   admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching vlan members 10

                   admin@Switch2# set interface aggregate-ethernet ae71 family ethernet-switching port-mode trunk

                   admin@Switch2# set interface aggregate-ethernet ae71 family ethernet-switching vlan members 10

                   admin@Switch2# set interface aggregate-ethernet ae72 family ethernet-switching port-mode trunk

                   admin@Switch2# set interface aggregate-ethernet ae72 family ethernet-switching vlan members 10

Step2         Configure aggregation interfaces with LACP mode.

   admin@Switch2# set interface aggregate-ethernet ae71 aggregated-ether-options lacp enable true

   admin@Switch2# set interface aggregate-ethernet ae72 aggregated-ether-options lacp enable true

Step3         Add member interfaces to a LAG.

                   admin@Switch2# set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad ae48

                   admin@Switch2# set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad ae48

                   admin@Switch2# set interface gigabit-ethernet te-1/1/41 ether-options 802.3ad ae71

                   admin@Switch2# set interface gigabit-ethernet te-1/1/42 ether-options 802.3ad ae72

Step4         Configure an MLAG domain ID.

   admin@Switch2# set protocols mlag domain 10

   NOTE: Currently, only one MLAG domain is allowed to be configured on one MLAG device.

Step5         Specify Switch2 as MLAG Node 1.

   admin@Switch2# set protocols mlag domain 10 node 1

Step6         Configure the peer IP address and peer link port.

   admin@Switch2# set protocols mlag domain 10 peer-ip 10.10.0.1 peer-link ae48

   NOTE: Peer-link port should be configured as a LAG port.

Step7         Configure the L3 interface IP address for peer link port on local MLAG peer device.

                   admin@Switch2# set l3-interface vlan-interface vlan4088 address 10.10.0.2 prefix-length 24

Step8         Configure link ID for the MLAG member port.

                   admin@Switch2# set protocols mlag domain 10 interface ae71 link 1

                   admin@Switch2# set protocols mlag domain 10 interface ae72 link 2

   NOTE: The paired MLAG member ports must be bound to the same MLAG link ID.

Step9         Configure MLAG peer VLAN.

   admin@Switch2# set protocols mlag domain 10 peer-ip 10.10.0.1 peer-vlan 4088

Step10        Enable DHCP snooping function.

    admin@Switch2# set protocols dhcp snooping vlan 10 disable false

Step11        Configure the interface connected to the DHCP server and peer-link port as DHCP snooping trusted interfaces.

    admin@Switch2# set protocols dhcp snooping trust-port ae48

    admin@Switch2# set protocols dhcp snooping trust-port ae72

Step12        Commit the configuration.

            admin@Switch2# commit

Switch3

Step1         Configure the VLANs.

                   admin@Switch3# set vlans vlan-id 10

                   admin@Switch3# set interface aggregate-ethernet ae1 family ethernet-switching port-mode trunk

                   admin@Switch3# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 10

   admin@Switch3# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 10

                  admin@Switch3# set interface gigabit-ethernet ge-1/1/3 description "to-client"

Step2         Configure aggregation interfaces with LACP mode.

   admin@Switch3# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae1

   admin@Switch3# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae1

   admin@Switch3# set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true

Step3         Enable DHCP snooping function.

   admin@Switch3# set protocols dhcp snooping vlan 10 disable false

Step4         Configure ae1 as DHCP snooping trusted port.

   admin@Switch3# set protocols dhcp snooping trust-port ae1

Step5         Commit the configuration.

           admin@Switch3# commit

Switch4

Step1         Configure the VLANs.

                   admin@Switch4# set vlans vlan-id 10

                   admin@Switch4# set interface aggregate-ethernet ae2 family ethernet-switching port-mode trunk

                   admin@Switch4# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 10

   admin@Switch4# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 10

           admin@Switch4# set interface gigabit-ethernet ge-1/1/3 description "to-server"

Step2         Configure aggregation interfaces with LACP mode.

   admin@Switch4# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae2

   admin@Switch4# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae2

   admin@Switch4# set interface aggregate-ethernet ae2 aggregated-ether-options lacp enable true

Step3         Enable DHCP snooping function.

   admin@Switch4# set protocols dhcp snooping vlan 10 disable false

Step4         Configure ge-1/1/3 as DHCP snooping trusted port.

   admin@Switch4# set protocols dhcp snooping trust-port ge-1/1/3

Step5         Commit the configuration.

           admin@Switch4# commit

Verify the Configuration

  • You can use the run show mlag domain command to display the global MLAG domain information.
admin@Switch1# run show mlag domain summary
Domain ID: 10    Domain MAC: 48:6E:73:FF:00:0a    Node ID: 0
-----------------------------------------------------------------------
Peer Link  Peer IP  Peer Vlan  Neighbor Status  Config Matched  MAC Synced  # of Links
---------  --------  ------     ---------        --------------  -----------  ----------
ae48      10.10.10.1  4088       ESTABLISHED     Yes              Yes           1
ae48      10.10.10.1  4088       ESTABLISHED     Yes              Yes           2
  • You can use the run show mlag link command to display MLAG link information.
admin@Switch1# run show mlag link summary
# of Links: 2
Link   Local LAG   Link Status   Local Status   Peer Status   Config Matched   Flood
----   ---------   -----------   ------------   -----------   --------------   -----
1      ae71         IDLE          UP             UNKNOWN       No                No
2      ae72         IDLE          UP             UNKNOWN       No                No
  • Run the run show dhcp snooping command to view the DHCP snooping binding table.
admin@Switch3# run show dhcp snooping binding 
Total count:     1
MAC Address      IP Address     Port            VLAN ID   Lease(sec)                    
--------------------------------------------------------------------------------------------
00:1b:57:60:11:d1   71.0.0.15    ge-1/1/3   10   599/600


admin@Switch4# run show dhcp snooping
Total count:     1
MAC Address         IP Address   Port      VLAN ID      Lease(sec)                
-----------------   ---------    --------  -------      ---------------           
00:1b:57:60:11:d1   71.0.0.15    ae2        10            599/600
 

Copyright © 2024 Pica8 Inc. All Rights Reserved.