DHCP Snooping over MLAG
Overview
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. It is a layer-2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. With DHCP snooping, the physical location of hosts can be tracked, only the IP addresses assigned for the hosts can be used, only the authorized DHCP servers are accessible. DHCP snooping can prevent attackers from adding their own DHCP servers to the network. DHCP snooping allows only clients with specific IP/MAC addresses to have access to the network.
The DHCP snooping over MLAG feature synchronizes the DHCP snooping binding database between the MLAG peers. If one of the MLAG peer node or MLAG link is down, the DHCP request / reply messages should be honoured by the partner.
DHCP snooping is supported over Active-Active MLAG mode using Static & Dynamic Channel group while Active-Standby MLAG mode using Static Channel group.
Topology
DHCP Snooping over MLAG
Configuration
LEAF:
#configure terminal | Configure terminal. |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the rstp vlan bridge |
(config)#vlan 2 bridge 1 state enable | Configure VLAN for the bridge |
(config)#interface po1 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface ce1/2 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface ce16/1 | Enter interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface ce16/2 | Enter interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface ce25/1 | Enter interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface ce25/2 | Enter interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit the configure mode |
TOR1:
#configure terminal | Configure terminal. |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the rstp vlan bridge |
(config)#vlan 2 bridge 1 state enable | Configure VLAN for the bridge |
(config)#ip dhcp snooping bridge 1 | Enable DHCP Snooping on the bridge |
(config)#ip dhcp snooping vlan 2 bridge 1 | Enable DHCP Snooping on the vlan 2 |
(config)#interface mlag1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#ip dhcp snooping trust | Enable the port as trusted. |
(config-if)#exit | Exit interface mode |
(config)#interface mlag2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)# switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 1 | Map po1 to mlag1 |
(config-if)#exit | Exit interface mode |
(config)#interface po2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 2 | Map po2 to mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface po5 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/2 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface xe51/1 | Enter Interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface xe51/2 | Enter Interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface xe53/1 | Enter Interface mode |
(config-if)#channel-group 5 mode active | Enable channel-group 5 |
(config-if)#exit | Exit interface mode |
(config)#interface xe53/2 | Enter Interface mode |
(config-if)#channel-group 5 mode active | Enable channel-group 5 |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Enter MCEC mode |
(config-mcec-domain)#domain-address 1111.2222.3333 | Domain address for the mlag domain |
(config-mcec-domain)#domain-system-number 2 | Configure the domain system number |
(config-mcec-domain)#intra-domain-link po5 | Specify the intra domain link for MLAG communication |
config-mcec-domain)#end | Exit the configure mode |
TOR2:
#configure terminal | Configure terminal. |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the rstp vlan bridge |
(config)#vlan 2 bridge 1 state enable | Configure VLAN for the bridge |
(config)#ip dhcp snooping bridge 1 | Enable DHCP Snooping on the bridge |
(config)#ip dhcp snooping vlan 2 bridge 1 | Enable DHCP Snooping on the vlan 2 |
(config)#interface mlag1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#ip dhcp snooping trust | Enable the port as trusted. |
(config-if)#exit | Exit interface mode |
(config)#interface mlag2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 1 | Map po1 to mlag1 |
(config-if)#exit | Exit interface mode |
(config)#interface po2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 2 | Map po2 to mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface po5 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface ce16/1 | Enter Interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface ce16/2 | Enter Interface mode |
(config-if)#channel-group 1 mode active | Enable channel-group 1 |
(config-if)#exit | Exit interface mode |
(config)#interface ce25/1 | Enter Interface mode |
(config-if)#channel-group 5 mode active | Enable channel-group 5 |
(config-if)#exit | Exit interface mode |
(config)#interface ce25/2 | Enter Interface mode |
(config-if)#channel-group 5 mode active | Enable channel-group 5 |
(config-if)#exit | Exit interface mode |
(config)#interface ce26/1 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface ce26/2 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Enter MCEC mode |
(config-mcec-domain)#domain-address 1111.2222.3333 | Domain address for the mlag domain |
(config-mcec-domain)#domain-system-number 1 | Configure the domain system number |
(config-mcec-domain)#intra-domain-link po5 | Specify the intra domain link for MLAG communication |
(config-mcec-domain)#end | Exit the configure mode |
L2SW:
#configure terminal | Configure terminal. |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the rstp vlan bridge |
(config)#vlan 2 bridge 1 state enable | Configure VLAN for the bridge |
(config-if)#interface po2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface xe3 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/2 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface xe53/1 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit interface mode |
(config)#interface xe53/2 | Enter Interface mode |
(config-if)#channel-group 2 mode active | Enable channel-group 2 |
(config-if)#exit | Exit the configure mode |
Static MLAG configuration for TOR1 and TOR2
Note: Only mlag related configs for static MLAG is provided. While rest of the configuration is similar to dynamic.
TOR1:
#configure terminal | Configure terminal. |
(config)#interface mlag1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#mode active-standby | Configure mlag mode for mlag1 |
(config-if)#ip dhcp snooping trust | Enable the port as trusted. |
(config-if)#exit | Exit interface mode |
(config)#interface mlag2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#mode active-active | Configure mlag mode for mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface sa1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 1 | Map sa1 to mlag1 |
(config-if)#exit | Exit interface mode |
(config)#interface sa2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 2 | Map sa2 to mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface sa5 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Enter MCEC mode |
(config-mcec-domain)#domain-address 1111.2222.3333 | Domain address for the mlag domain |
(config-mcec-domain)#domain-system-number 1 | Configure the domain system number |
(config-mcec-domain)#intra-domain-link sa5 | Specify the intra domain link for MLAG communication |
(config-mcec-domain)#end | Exit the configure mode |
TOR2:
#configure terminal | Configure terminal. |
(config)#interface mlag1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#mode active-standby | Configure mlag mode for mlag1 |
(config-if)#ip dhcp snooping trust | Enable the port as trusted. |
(config-if)#exit | Exit interface mode |
(config)#interface mlag2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#mode active-active | Configure mlag mode for mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface sa1 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 1 | Map sa1 to mlag1 |
(config-if)#exit | Exit interface mode |
(config)#interface sa2 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#mlag 2 | Map sa2 to mlag2 |
(config-if)#exit | Exit interface mode |
(config)#interface sa5 | Enter Interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode trunk | Configure the mode as trunk |
(config-if)#switchport trunk allowed vlan add 2 | Allow vlan 2 on the interface |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Enter MCEC mode |
(config-mcec-domain)#domain-address 1111.2222.3333 | Domain address for the mlag domain |
(config-mcec-domain)#domain-system-number 2 | Configure the domain system number |
(config-mcec-domain)#intra-domain-link sa5 | Specify the intra domain link for MLAG communication |
(config-mcec-domain)#end | Exit the configure mode |
Validation
1. Verify Dhcps Sync PDUs:
TOR1#show mcec statistics
Unknown MCCPDU received on the system : 0
------------------------------------
IDP po5
------------------------------------
Valid RX Hello PDUs : 2373
Valid TX Hello PDUs : 2373
Valid RX Info PDUs : 12
Valid TX Info PDUs : 20
Valid RX Mac Sync PDUs : 20
Valid TX Mac Sync PDUs : 20
Valid RX Dhcps Sync PDUs : 1
Valid TX Dhcps Sync PDUs : 3
MLAG 1
Valid RX Info PDUs : 6
Valid TX Info PDUs : 10
MLAG 2
Valid RX Info PDUs : 6
Valid TX Info PDUs : 10
TOR1#
TOR2#show mcec statistics
Unknown MCCPDU received on the system : 0
------------------------------------
IDP po5
------------------------------------
Valid RX Hello PDUs : 2384
Valid TX Hello PDUs : 2385
Valid RX Info PDUs : 18
Valid TX Info PDUs : 12
Valid RX Mac Sync PDUs : 20
Valid TX Mac Sync PDUs : 16
Valid RX Dhcps Sync PDUs : 3
Valid TX Dhcps Sync PDUs : 1
MLAG 1
Valid RX Info PDUs : 9
Valid TX Info PDUs : 6
MLAG 2
Valid RX Info PDUs : 9
Valid TX Info PDUs : 6
2. Verify dhcp binding entires:
TOR2#
TOR1# show ip dhcp snooping binding bridge 1
Total number of static IPV4 entries : 0
Total number of dynamic IPV4 entries : 1
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
MacAddress IpAddress Lease(sec) Type VLAN Interfa
ce
------------------ --------------- ---------- ------------- ---- -------
-----------
80a2.35e9.8323 20.20.20.2 315 dhcp-snooping 2 mlag2
TOR1#
TOR2#show ip dhcp snooping binding bridge 1
Total number of static IPV4 entries : 0
Total number of dynamic IPV4 entries : 1
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ------------------
80a2.35e9.8323 20.20.20.2 315 dhcp-snooping 2 mlag2
3. Verify that DHCP snooping is enabled on the bridge
TOR2#
TOR1#show ip dhcp snooping bridge 1
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Strict validation of DHCP packet is : Disabled
DB Write Interval(secs) : 300
DHCP snooping is configured on following VLANs : 2
DHCP snooping is operational on following VLANs : 2
DHCP snooping trust is configured on the following Interfaces
Interface Trusted
--------------- -------
mlag1 Yes
po5 Yes
DHCP snooping IP Source Guard is configured on the following Interfaces
Interface Source Guard
--------------- ------------
TOR1#
TOR2#show ip dhcp snooping bridge 1
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Strict validation of DHCP packet is : Disabled
DB Write Interval(secs) : 300
DHCP snooping is configured on following VLANs : 2
DHCP snooping is operational on following VLANs : 2
DHCP snooping trust is configured on the following Interfaces
Interface Trusted
--------------- -------
mlag1 Yes
po5 Yes
DHCP snooping IP Source Guard is configured on the following Interfaces
Interface Source Guard
--------------- ------------
TOR2#
4. Verify dhcp snooping running configs
TOR1#show running-config ip dhcp snooping
!
debug ip dhcp snooping all
!
ip dhcp snooping bridge 1
ip dhcp snooping vlan 2 bridge 1
interface mlag1
ip dhcp snooping trust
!
interface po5
ip dhcp snooping trust
!
TOR1#
TOR2#show running-config ip dhcp snooping
!
debug ip dhcp snooping all
!
ip dhcp snooping bridge 1
ip dhcp snooping vlan 2 bridge 1
interface mlag1
ip dhcp snooping trust
!
interface po5
ip dhcp snooping trust
!
TOR2#
5. Verify mlag details:
TOR2#show mlag domain details
------------------------------------
Domain Configuration
------------------------------------
Domain System Number : 1
Domain Address : 1111.2222.3333
Domain Priority : 32768
Intra Domain Interface : po5
Hello RCV State : Current
Hello Periodic Timer State : Slow Periodic
Domain Sync : IN_SYNC
Neigh Domain Sync : IN_SYNC
Domain Adjacency : UP
------------------------------------
MLAG Configuration
------------------------------------
MLAG-1
Mapped Aggregator : po1
Admin Key : 16385
Oper Key : 16385
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Neigh Admin Key : 32769
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
MLAG-2
Mapped Aggregator : po2
Admin Key : 16386
Oper Key : 16386
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Neigh Admin Key : 32770
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
TOR2#
TOR1#show mlag domain details
------------------------------------
Domain Configuration
------------------------------------
Domain System Number : 2
Domain Address : 1111.2222.3333
Domain Priority : 32768
Intra Domain Interface : po5
Hello RCV State : Current
Hello Periodic Timer State : Slow Periodic
Domain Sync : IN_SYNC
Neigh Domain Sync : IN_SYNC
Domain Adjacency : UP
------------------------------------
MLAG Configuration
------------------------------------
MLAG-1
Mapped Aggregator : po1
Admin Key : 32769
Oper Key : 16385
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Neigh Admin Key : 16385
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
MLAG-2
Mapped Aggregator : po2
Admin Key : 32770
Oper Key : 16386
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Neigh Admin Key : 16386
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
TOR1#