Example for Configuring MLAG with DHCP Snooping
- Tracy Yang
Networking Requirements
Figure 1 User Configuration Topology of MLAG with DHCP Snooping
As shown in Figure 1, Switch 1 and Switch 2 are Layer 2 switches and form a pair of MLAG peer devices. The DHCP client is connected to Switch3 which is dual-homed to the MLAG network. The DHCP server is connected to Switch4 which is dual-homed to the MLAG network. In the MLAG topology, to provide better services to DHCP client, the network administrator can configure DHCP snooping on Switch1, Switch2, Switch3 and Switch4, to defend against DHCP attacks.
When configuring the network, you need to pay attention to the following points:
- Switch3 is dual-homed to MLAG peer devices Switch 1 and Switch 2, the link ID is 1. Switch 4 is dual-homed to Switch 1 and Switch 2, the link ID is 2.
- DHCP snooping configuration should be identical on both MLAG peer devices.
- The peer link port should be configured as trust port on demand.
- On Switch1, Switch2, Switch3 and Switch4, configure the interfaces in the direction of the DHCP server as DHCP snooping trusted interfaces.
Procedure
Switch1
Step1 Configure the VLANs.
admin@Switch1# set vlans vlan-id 10
admin@Switch1# set vlans vlan-id 4088 l3-interface vlan4088
admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching native-vlan-id 4088
admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching port-mode trunk
admin@Switch1# set interface aggregate-ethernet ae48 family ethernet-switching vlan members 10
admin@Switch1# set interface aggregate-ethernet ae71 family ethernet-switching port-mode trunk
admin@Switch1# set interface aggregate-ethernet ae71 family ethernet-switching vlan members 10
admin@Switch1# set interface aggregate-ethernet ae72 family ethernet-switching port-mode trunk
admin@Switch1# set interface aggregate-ethernet ae72 family ethernet-switching vlan members 10
Step2 Configure aggregation interfaces with LACP mode.
admin@Switch1# set interface aggregate-ethernet ae71 aggregated-ether-options lacp enable true
admin@Switch1# set interface aggregate-ethernet ae72 aggregated-ether-options lacp enable true
Step3 Add member interfaces to a LAG.
admin@Switch1# set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad ae48
admin@Switch1# set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad ae48
admin@Switch1# set interface gigabit-ethernet te-1/1/41 ether-options 802.3ad ae71
admin@Switch1# set interface gigabit-ethernet te-1/1/42 ether-options 802.3ad ae72
Step4 Configure an MLAG domain ID.
admin@Switch1# set protocols mlag domain 10
NOTE: Currently, only one MLAG domain is allowed to be configured on one MLAG device.
Step5 Specify Switch1 as MLAG Node 0.
admin@Switch1# set protocols mlag domain 10 node 0
Step6 Configure the peer IP address and peer link port.
admin@Switch1# set protocols mlag domain 10 peer-ip 10.10.0.2 peer-link ae48
NOTE: Peer-link port should be configured as a LAG port.
Step7 Configure the L3 interface IP address for peer link port on local MLAG peer device.
admin@Switch1# set l3-interface vlan-interface vlan4088 address 10.10.0.1 prefix-length 24
Step8 Configure link ID for the MLAG member port.
admin@Switch1# set protocols mlag domain 10 interface ae71 link 1
admin@Switch1# set protocols mlag domain 10 interface ae72 link 2
NOTE: The paired MLAG member ports must be bound to the same MLAG link ID.
Step9 Configure MLAG peer VLAN.
admin@Switch1# set protocols mlag domain 10 peer-ip 10.10.0.2 peer-vlan 4088
Step10 Enable DHCP snooping function.
admin@Switch1# set protocols dhcp snooping vlan 10 disable false
Step11 Configure the interface connected to the DHCP server and peer-link port as DHCP snooping trusted interfaces.
admin@Switch1# set protocols dhcp snooping trust-port ae48
admin@Switch1# set protocols dhcp snooping trust-port ae72
Step12 Commit the configuration.
admin@Switch1# commit
Switch2
Step1 Configure the VLANs.
admin@Switch2# set vlans vlan-id 10
admin@Switch2# set vlans vlan-id 4088 l3-interface vlan4088
admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching native-vlan-id 4088
admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching port-mode trunk
admin@Switch2# set interface aggregate-ethernet ae48 family ethernet-switching vlan members 10
admin@Switch2# set interface aggregate-ethernet ae71 family ethernet-switching port-mode trunk
admin@Switch2# set interface aggregate-ethernet ae71 family ethernet-switching vlan members 10
admin@Switch2# set interface aggregate-ethernet ae72 family ethernet-switching port-mode trunk
admin@Switch2# set interface aggregate-ethernet ae72 family ethernet-switching vlan members 10
Step2 Configure aggregation interfaces with LACP mode.
admin@Switch2# set interface aggregate-ethernet ae71 aggregated-ether-options lacp enable true
admin@Switch2# set interface aggregate-ethernet ae72 aggregated-ether-options lacp enable true
Step3 Add member interfaces to a LAG.
admin@Switch2# set interface gigabit-ethernet te-1/1/1 ether-options 802.3ad ae48
admin@Switch2# set interface gigabit-ethernet te-1/1/2 ether-options 802.3ad ae48
admin@Switch2# set interface gigabit-ethernet te-1/1/41 ether-options 802.3ad ae71
admin@Switch2# set interface gigabit-ethernet te-1/1/42 ether-options 802.3ad ae72
Step4 Configure an MLAG domain ID.
admin@Switch2# set protocols mlag domain 10
NOTE: Currently, only one MLAG domain is allowed to be configured on one MLAG device.
Step5 Specify Switch2 as MLAG Node 1.
admin@Switch2# set protocols mlag domain 10 node 1
Step6 Configure the peer IP address and peer link port.
admin@Switch2# set protocols mlag domain 10 peer-ip 10.10.0.1 peer-link ae48
NOTE: Peer-link port should be configured as a LAG port.
Step7 Configure the L3 interface IP address for peer link port on local MLAG peer device.
admin@Switch2# set l3-interface vlan-interface vlan4088 address 10.10.0.2 prefix-length 24
Step8 Configure link ID for the MLAG member port.
admin@Switch2# set protocols mlag domain 10 interface ae71 link 1
admin@Switch2# set protocols mlag domain 10 interface ae72 link 2
NOTE: The paired MLAG member ports must be bound to the same MLAG link ID.
Step9 Configure MLAG peer VLAN.
admin@Switch2# set protocols mlag domain 10 peer-ip 10.10.0.1 peer-vlan 4088
Step10 Enable DHCP snooping function.
admin@Switch2# set protocols dhcp snooping vlan 10 disable false
Step11 Configure the interface connected to the DHCP server and peer-link port as DHCP snooping trusted interfaces.
admin@Switch2# set protocols dhcp snooping trust-port ae48
admin@Switch2# set protocols dhcp snooping trust-port ae72
Step12 Commit the configuration.
admin@Switch2# commit
Switch3
Step1 Configure the VLANs.
admin@Switch3# set vlans vlan-id 10
admin@Switch3# set interface aggregate-ethernet ae1 family ethernet-switching port-mode trunk
admin@Switch3# set interface aggregate-ethernet ae1 family ethernet-switching vlan members 10
admin@Switch3# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 10
admin@Switch3# set interface gigabit-ethernet ge-1/1/3 description "to-client"
Step2 Configure aggregation interfaces with LACP mode.
admin@Switch3# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae1
admin@Switch3# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae1
admin@Switch3# set interface aggregate-ethernet ae1 aggregated-ether-options lacp enable true
Step3 Enable DHCP snooping function.
admin@Switch3# set protocols dhcp snooping vlan 10 disable false
Step4 Configure ae1 as DHCP snooping trusted port.
admin@Switch3# set protocols dhcp snooping trust-port ae1
Step5 Commit the configuration.
admin@Switch3# commit
Switch4
Step1 Configure the VLANs.
admin@Switch4# set vlans vlan-id 10
admin@Switch4# set interface aggregate-ethernet ae2 family ethernet-switching port-mode trunk
admin@Switch4# set interface aggregate-ethernet ae2 family ethernet-switching vlan members 10
admin@Switch4# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 10
admin@Switch4# set interface gigabit-ethernet ge-1/1/3 description "to-server"
Step2 Configure aggregation interfaces with LACP mode.
admin@Switch4# set interface gigabit-ethernet ge-1/1/1 ether-options 802.3ad ae2
admin@Switch4# set interface gigabit-ethernet ge-1/1/2 ether-options 802.3ad ae2
admin@Switch4# set interface aggregate-ethernet ae2 aggregated-ether-options lacp enable true
Step3 Enable DHCP snooping function.
admin@Switch4# set protocols dhcp snooping vlan 10 disable false
Step4 Configure ge-1/1/3 as DHCP snooping trusted port.
admin@Switch4# set protocols dhcp snooping trust-port ge-1/1/3
Step5 Commit the configuration.
admin@Switch4# commit
Verify the Configuration
- You can use the run show mlag domain command to display the global MLAG domain information.
admin@Switch1# run show mlag domain summary Domain ID: 10 Domain MAC: 48:6E:73:FF:00:0a Node ID: 0 ----------------------------------------------------------------------- Peer Link Peer IP Peer Vlan Neighbor Status Config Matched MAC Synced # of Links --------- -------- ------ --------- -------------- ----------- ---------- ae48 10.10.10.1 4088 ESTABLISHED Yes Yes 1 ae48 10.10.10.1 4088 ESTABLISHED Yes Yes 2
- You can use the run show mlag link command to display MLAG link information.
admin@Switch1# run show mlag link summary # of Links: 2 Link Local LAG Link Status Local Status Peer Status Config Matched Flood ---- --------- ----------- ------------ ----------- -------------- ----- 1 ae71 IDLE UP UNKNOWN No No 2 ae72 IDLE UP UNKNOWN No No
- Run the run show dhcp snooping command to view the DHCP snooping binding table.
admin@Switch3# run show dhcp snooping binding Total count: 1 MAC Address IP Address Port VLAN ID Lease(sec) -------------------------------------------------------------------------------------------- 00:1b:57:60:11:d1 71.0.0.15 ge-1/1/3 10 599/600 admin@Switch4# run show dhcp snooping Total count: 1 MAC Address IP Address Port VLAN ID Lease(sec) ----------------- --------- -------- ------- --------------- 00:1b:57:60:11:d1 71.0.0.15 ae2 10 599/600
Copyright © 2024 Pica8 Inc. All Rights Reserved.