Example for Configuring DHCP Snooping with PVLAN

Owned by Tracy Yang
Jul 18, 2024
3 min read

Networking Requirements

Figure 1. DHCP Snooping with PVLAN Configuration Example

As shown in Figure 1, in the PVLAN topology, the Switch acts as a user gateway and forwards DHCP messages to DHCP server, so that DHCP clients Host A, Host B, Host C and Host D can apply for IP address lease and other related configuration information from the DHCP server. In order to provide better service to DHCP users, network administrators can configure DHCP Snooping to prevent DHCP attacks.

Complete the following configurations on the Switch:

  • Configure PVLAN on the Switch. For details, please refer to 8.3.1 Example for Configuring PVLAN.
  • Enable DHCP snooping on the primary VLAN, where the PVLAN pvlan-promiscuous port Te-1/1/1 connects to the DHCP server.
  • Configure the PVLAN pvlan-promiscuous port Te-1/1/1 connecting to the DHCP server as a trust port.


Procedure

Step1         Create the secondary VLANs.

admin@XorPlus# set vlans vlan-id 2 private-vlan mode isolated
admin@XorPlus# set vlans vlan-id 3 private-vlan mode community

Step2         Create the primary VLAN.

admin@XorPlus# set vlans vlan-id 5 private-vlan mode primary

Step3         Associate the secondary VLAN with the primary VLAN.

admin@XorPlus# set vlans vlan-id 5 private-vlan association 2-3

Step4         Configure the ports connected to the hosts as the PVLAN host ports.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host

Step5         Configure the port connected to the Server as the promiscuous port.

admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode pvlan-promiscuous

Step6         Add the host ports into the secondary VLAN and set the native VLAN of the host port as the secondary VLAN ID.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 3
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 3

Step7         Add the promiscuous port into the primary VLAN and set the native VLAN of the promiscuous port as the primary VLAN ID.

admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 5

Step8         Configure DHCP snooping.

admin@XorPlus# set protocols dhcp snooping vlan 5 disable false
admin@XorPlus# set protocols dhcp snooping trust-port te-1/1/1

Step9         Commit the configurations.

admin@XorPlus# commit

Verify the Configuration

  • You can use the run show vlans private-vlan command to view the PVLAN configuration information.
admin@Xorplus# run show vlans private-vlan
Primary   Secondary  Type            Tag         Interfaces
-------   ---------  -----------     --------    --------------------------
5                    primary         untagged    te-1/1/1                                                  
                                       tagged  
          2          isolated        untagged    ge-1/1/1, ge-1/1/2                                           
                                       tagged  
          3          community       untagged    ge-1/1/3, ge-1/1/4                                 
                                       tagged  
  •       You can use the run show vlans private-vlan type command to view the PVLAN type information.
admin@Xorplus# run show vlans private-vlan type
Vlan Type
---- -----------
5    primary
2    isolated
3    community
  • You can use the run show dhcp snooping binding command to view the DHCP snooping binding table.
admin@Xorplus# run show dhcp snooping binding 
Total Snooping host count: 2
MAC Address        IP Address    Port       VLAN ID    Lease(sec) 
--------------------------------------------------------------------------------------------
00:00:22:22:00:00  100.1.1.1     ge-1/1/1   101        599/600 
00:00:33:33:00:00  100.1.1.2     ge-1/1/2   101        599/600 
00:00:44:44:00:00  200.1.1.1     ge-1/1/3   102        599/600
00:00:55:55:00:00  200.1.1.2     ge-1/1/4   102        599/600
  • DHCP clients can obtain IP addresses normally.


Copyright © 2024 Pica8 Inc. All Rights Reserved.