Example for Configuring DHCP Snooping with PVLAN
Networking Requirements
Figure 1. DHCP Snooping with PVLAN Configuration Example
As shown in Figure 1, in the PVLAN topology, the Switch acts as a user gateway and forwards DHCP messages to DHCP server, so that DHCP clients Host A, Host B, Host C and Host D can apply for IP address lease and other related configuration information from the DHCP server. In order to provide better service to DHCP users, network administrators can configure DHCP Snooping to prevent DHCP attacks.
Complete the following configurations on the Switch:
- Configure PVLAN on the Switch. For details, please refer to 8.3.1 Example for Configuring PVLAN.
- Enable DHCP snooping on the primary VLAN, where the PVLAN pvlan-promiscuous port Te-1/1/1 connects to the DHCP server.
- Configure the PVLAN pvlan-promiscuous port Te-1/1/1 connecting to the DHCP server as a trust port.
Procedure
Step1Â Â Â Â Â Â Â Â Â Create the secondary VLANs.
admin@XorPlus# set vlans vlan-id 2 private-vlan mode isolated admin@XorPlus# set vlans vlan-id 3 private-vlan mode community
Step2Â Â Â Â Â Â Â Â Â Create the primary VLAN.
admin@XorPlus# set vlans vlan-id 5 private-vlan mode primary
Step3Â Â Â Â Â Â Â Â Â Associate the secondary VLANÂ with the primary VLAN.
admin@XorPlus# set vlans vlan-id 5 private-vlan association 2-3
Step4Â Â Â Â Â Â Â Â Â Configure the ports connected to the hosts as the PVLAN host ports.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host
Step5Â Â Â Â Â Â Configure the port connected to the Server as the promiscuous port.
admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode pvlan-promiscuous
Step6Â Â Â Â Â Â Â Â Â Add the host ports into the secondary VLAN and set the native VLAN of the host port as the secondary VLAN ID.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2 admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2 admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 3 admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 3
Step7Â Â Â Â Â Â Â Â Â Add the promiscuous port into the primary VLAN and set the native VLAN of the promiscuous port as the primary VLAN ID.
admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 5
Step8Â Â Â Â Â Â Â Â Â Configure DHCP snooping.
admin@XorPlus# set protocols dhcp snooping vlan 5 disable false admin@XorPlus# set protocols dhcp snooping trust-port te-1/1/1
Step9Â Â Â Â Â Â Â Â Â Commit the configurations.
admin@XorPlus# commit
Verify the Configuration
- You can use the run show vlans private-vlan command to view the PVLAN configuration information.
admin@Xorplus# run show vlans private-vlan Primary Secondary Type       Tag     Interfaces -------   ---------  -----------    --------    -------------------------- 5              primary    untagged te-1/1/1                                                                              tagged         2       isolated   untagged  ge-1/1/1, ge-1/1/2                                                                        tagged         3      community  untagged  ge-1/1/3, ge-1/1/4                                                              tagged Â
- Â Â Â Â You can use the run show vlans private-vlan type command to view the PVLAN type information.
admin@Xorplus# run show vlans private-vlan type Vlan Type ---- ----------- 5Â Â Â primary 2Â Â Â isolated 3Â Â Â community
- You can use the run show dhcp snooping binding command to view the DHCP snooping binding table.
admin@Xorplus# run show dhcp snooping binding Total Snooping host count: 2 MAC Address IP Address Port VLAN ID Lease(sec) -------------------------------------------------------------------------------------------- 00:00:22:22:00:00 100.1.1.1 ge-1/1/1 101 599/600 00:00:33:33:00:00 100.1.1.2 ge-1/1/2 101 599/600 00:00:44:44:00:00 200.1.1.1 ge-1/1/3 102 599/600 00:00:55:55:00:00 200.1.1.2 ge-1/1/4 102 599/600
- DHCP clients can obtain IP addresses normally.
Copyright © 2024 Pica8 Inc. All Rights Reserved.