OcNOS-DC : System Management Guide : System Management Configuration Guide : DHCP Snooping over MLAG
DHCP Snooping over MLAG
Overview
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. It is a layer-2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. With DHCP snooping, the physical location of hosts can be tracked, only the IP addresses assigned for the hosts can be used, only the authorized DHCP servers are accessible. DHCP snooping can prevent attackers from adding their own DHCP servers to the network. DHCP snooping allows only clients with specific IP/MAC addresses to have access to the network.
The DHCP snooping over MLAG feature synchronizes the DHCP snooping binding database between the MLAG peers. If one of the MLAG peer node or MLAG link is down, the DHCP request / reply messages should be honoured by the partner.
DHCP snooping is supported over Active-Active MLAG mode using Static & Dynamic Channel group while Active-Standby MLAG mode using Static Channel group.
Topology
DHCP Snooping over MLAG
Configuration
LEAF:
#configure terminal
Configure terminal.
(config)#bridge 1 protocol rstp vlan-bridge
Configuring the rstp vlan bridge
(config)#vlan 2 bridge 1 state enable
Configure VLAN for the bridge
(config)#interface po1
Enter interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface ce1/2
Enter interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface ce16/1
Enter interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface ce16/2
Enter interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface ce25/1
Enter interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface ce25/2
Enter interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit the configure mode
TOR1:
#configure terminal
Configure terminal.
(config)#bridge 1 protocol rstp vlan-bridge
Configuring the rstp vlan bridge
(config)#vlan 2 bridge 1 state enable
Configure VLAN for the bridge
(config)#ip dhcp snooping bridge 1
Enable DHCP Snooping on the bridge
(config)#ip dhcp snooping vlan 2 bridge 1
Enable DHCP Snooping on the vlan 2
(config)#interface mlag1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#ip dhcp snooping trust
Enable the port as trusted.
(config-if)#exit
Exit interface mode
(config)#interface mlag2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)# switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface po1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 1
Map po1 to mlag1
(config-if)#exit
Exit interface mode
(config)#interface po2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 2
Map po2 to mlag2
(config-if)#exit
Exit interface mode
(config)#interface po5
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface xe49/1
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface xe49/2
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface xe51/1
Enter Interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface xe51/2
Enter Interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface xe53/1
Enter Interface mode
(config-if)#channel-group 5 mode active
Enable channel-group 5
(config-if)#exit
Exit interface mode
(config)#interface xe53/2
Enter Interface mode
(config-if)#channel-group 5 mode active
Enable channel-group 5
(config-if)#exit
Exit interface mode
(config)#mcec domain configuration
Enter MCEC mode
(config-mcec-domain)#domain-address 1111.2222.3333
Domain address for the mlag domain
(config-mcec-domain)#domain-system-number 2
Configure the domain system number
(config-mcec-domain)#intra-domain-link po5
Specify the intra domain link for MLAG communication
config-mcec-domain)#end
Exit the configure mode
TOR2:
#configure terminal
Configure terminal.
(config)#bridge 1 protocol rstp vlan-bridge
Configuring the rstp vlan bridge
(config)#vlan 2 bridge 1 state enable
Configure VLAN for the bridge
(config)#ip dhcp snooping bridge 1
Enable DHCP Snooping on the bridge
(config)#ip dhcp snooping vlan 2 bridge 1
Enable DHCP Snooping on the vlan 2
(config)#interface mlag1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#ip dhcp snooping trust
Enable the port as trusted.
(config-if)#exit
Exit interface mode
(config)#interface mlag2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface po1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 1
Map po1 to mlag1
(config-if)#exit
Exit interface mode
(config)#interface po2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 2
Map po2 to mlag2
(config-if)#exit
Exit interface mode
(config)#interface po5
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface ce16/1
Enter Interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface ce16/2
Enter Interface mode
(config-if)#channel-group 1 mode active
Enable channel-group 1
(config-if)#exit
Exit interface mode
(config)#interface ce25/1
Enter Interface mode
(config-if)#channel-group 5 mode active
Enable channel-group 5
(config-if)#exit
Exit interface mode
(config)#interface ce25/2
Enter Interface mode
(config-if)#channel-group 5 mode active
Enable channel-group 5
(config-if)#exit
Exit interface mode
(config)#interface ce26/1
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface ce26/2
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#mcec domain configuration
Enter MCEC mode
(config-mcec-domain)#domain-address 1111.2222.3333
Domain address for the mlag domain
(config-mcec-domain)#domain-system-number 1
Configure the domain system number
(config-mcec-domain)#intra-domain-link po5
Specify the intra domain link for MLAG communication
(config-mcec-domain)#end
Exit the configure mode
L2SW:
#configure terminal
Configure terminal.
(config)#bridge 1 protocol rstp vlan-bridge
Configuring the rstp vlan bridge
(config)#vlan 2 bridge 1 state enable
Configure VLAN for the bridge
(config-if)#interface po2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface xe3
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#interface xe49/1
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface xe49/2
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface xe53/1
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit interface mode
(config)#interface xe53/2
Enter Interface mode
(config-if)#channel-group 2 mode active
Enable channel-group 2
(config-if)#exit
Exit the configure mode
Static MLAG configuration for TOR1 and TOR2
Note: Only mlag related configs for static MLAG is provided. While rest of the configuration is similar to dynamic.
TOR1:
#configure terminal
Configure terminal.
(config)#interface mlag1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#mode active-standby
Configure mlag mode for mlag1
(config-if)#ip dhcp snooping trust
Enable the port as trusted.
(config-if)#exit
Exit interface mode
(config)#interface mlag2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#mode active-active
Configure mlag mode for mlag2
(config-if)#exit
Exit interface mode
(config)#interface sa1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 1
Map sa1 to mlag1
(config-if)#exit
Exit interface mode
(config)#interface sa2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 2
Map sa2 to mlag2
(config-if)#exit
Exit interface mode
(config)#interface sa5
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#mcec domain configuration
Enter MCEC mode
(config-mcec-domain)#domain-address 1111.2222.3333
Domain address for the mlag domain
(config-mcec-domain)#domain-system-number 1
Configure the domain system number
(config-mcec-domain)#intra-domain-link sa5
Specify the intra domain link for MLAG communication
(config-mcec-domain)#end
Exit the configure mode
TOR2:
#configure terminal
Configure terminal.
(config)#interface mlag1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#mode active-standby
Configure mlag mode for mlag1
(config-if)#ip dhcp snooping trust
Enable the port as trusted.
(config-if)#exit
Exit interface mode
(config)#interface mlag2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#mode active-active
Configure mlag mode for mlag2
(config-if)#exit
Exit interface mode
(config)#interface sa1
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 1
Map sa1 to mlag1
(config-if)#exit
Exit interface mode
(config)#interface sa2
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#mlag 2
Map sa2 to mlag2
(config-if)#exit
Exit interface mode
(config)#interface sa5
Enter Interface mode
(config-if)#switchport
Make the interface Layer 2
(config-if)#bridge-group 1
Associate the interface to bridge
(config-if)#switchport mode trunk
Configure the mode as trunk
(config-if)#switchport trunk allowed vlan add 2
Allow vlan 2 on the interface
(config-if)#exit
Exit interface mode
(config)#mcec domain configuration
Enter MCEC mode
(config-mcec-domain)#domain-address 1111.2222.3333
Domain address for the mlag domain
(config-mcec-domain)#domain-system-number 2
Configure the domain system number
(config-mcec-domain)#intra-domain-link sa5
Specify the intra domain link for MLAG communication
(config-mcec-domain)#end
Exit the configure mode
 
 
Validation
1. Verify Dhcps Sync PDUs:
TOR1#show mcec statistics
 
Unknown MCCPDU received on the system : 0
 
------------------------------------
IDP po5
------------------------------------
Valid RX Hello PDUs : 2373
Valid TX Hello PDUs : 2373
Valid RX Info PDUs : 12
Valid TX Info PDUs : 20
 
Valid RX Mac Sync PDUs : 20
Valid TX Mac Sync PDUs : 20
 
Valid RX Dhcps Sync PDUs : 1
Valid TX Dhcps Sync PDUs : 3
 
MLAG 1
Valid RX Info PDUs : 6
Valid TX Info PDUs : 10
 
MLAG 2
Valid RX Info PDUs : 6
Valid TX Info PDUs : 10
 
TOR1#
TOR2#show mcec statistics
 
Unknown MCCPDU received on the system : 0
 
------------------------------------
IDP po5
------------------------------------
Valid RX Hello PDUs : 2384
Valid TX Hello PDUs : 2385
Valid RX Info PDUs : 18
Valid TX Info PDUs : 12
 
Valid RX Mac Sync PDUs : 20
Valid TX Mac Sync PDUs : 16
 
Valid RX Dhcps Sync PDUs : 3
Valid TX Dhcps Sync PDUs : 1
 
MLAG 1
Valid RX Info PDUs : 9
Valid TX Info PDUs : 6
 
MLAG 2
Valid RX Info PDUs : 9
Valid TX Info PDUs : 6
 
2. Verify dhcp binding entires:
TOR2#
TOR1# show ip dhcp snooping binding bridge 1
 
Total number of static IPV4 entries : 0
Total number of dynamic IPV4 entries : 1
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
 
MacAddress IpAddress Lease(sec) Type VLAN Interfa
ce
------------------ --------------- ---------- ------------- ---- -------
-----------
80a2.35e9.8323 20.20.20.2 315 dhcp-snooping 2 mlag2
 
TOR1#
 
TOR2#show ip dhcp snooping binding bridge 1
 
Total number of static IPV4 entries : 0
Total number of dynamic IPV4 entries : 1
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
 
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ------------------
80a2.35e9.8323 20.20.20.2 315 dhcp-snooping 2 mlag2
 
3. Verify that DHCP snooping is enabled on the bridge
 
TOR2#
 
TOR1#show ip dhcp snooping bridge 1
 
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Strict validation of DHCP packet is : Disabled
DB Write Interval(secs) : 300
DHCP snooping is configured on following VLANs : 2
DHCP snooping is operational on following VLANs : 2
 
DHCP snooping trust is configured on the following Interfaces
 
Interface Trusted
--------------- -------
mlag1 Yes
po5 Yes
 
DHCP snooping IP Source Guard is configured on the following Interfaces
 
Interface Source Guard
--------------- ------------
 
TOR1#
 
TOR2#show ip dhcp snooping bridge 1
 
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Strict validation of DHCP packet is : Disabled
DB Write Interval(secs) : 300
DHCP snooping is configured on following VLANs : 2
DHCP snooping is operational on following VLANs : 2
 
DHCP snooping trust is configured on the following Interfaces
 
Interface Trusted
--------------- -------
mlag1 Yes
po5 Yes
 
DHCP snooping IP Source Guard is configured on the following Interfaces
 
Interface Source Guard
--------------- ------------
TOR2#
 
4. Verify dhcp snooping running configs
TOR1#show running-config ip dhcp snooping
!
debug ip dhcp snooping all
!
ip dhcp snooping bridge 1
ip dhcp snooping vlan 2 bridge 1
interface mlag1
ip dhcp snooping trust
!
interface po5
ip dhcp snooping trust
!
TOR1#
 
TOR2#show running-config ip dhcp snooping
!
debug ip dhcp snooping all
!
ip dhcp snooping bridge 1
ip dhcp snooping vlan 2 bridge 1
interface mlag1
ip dhcp snooping trust
!
interface po5
ip dhcp snooping trust
!
TOR2#
 
5. Verify mlag details:
TOR2#show mlag domain details
 
------------------------------------
Domain Configuration
------------------------------------
 
Domain System Number : 1
Domain Address : 1111.2222.3333
Domain Priority : 32768
Intra Domain Interface : po5
 
Hello RCV State : Current
Hello Periodic Timer State : Slow Periodic
Domain Sync : IN_SYNC
Neigh Domain Sync : IN_SYNC
Domain Adjacency : UP
 
------------------------------------
MLAG Configuration
------------------------------------
 
MLAG-1
Mapped Aggregator : po1
Admin Key : 16385
Oper Key : 16385
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
Neigh Admin Key : 32769
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
 
MLAG-2
Mapped Aggregator : po2
Admin Key : 16386
Oper Key : 16386
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
Neigh Admin Key : 32770
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
 
TOR2#
 
TOR1#show mlag domain details
 
------------------------------------
Domain Configuration
------------------------------------
 
Domain System Number : 2
Domain Address : 1111.2222.3333
Domain Priority : 32768
Intra Domain Interface : po5
 
Hello RCV State : Current
Hello Periodic Timer State : Slow Periodic
Domain Sync : IN_SYNC
Neigh Domain Sync : IN_SYNC
Domain Adjacency : UP
 
------------------------------------
MLAG Configuration
------------------------------------
 
MLAG-1
Mapped Aggregator : po1
Admin Key : 32769
Oper Key : 16385
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
 
Neigh Admin Key : 16385
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
 
MLAG-2
Mapped Aggregator : po2
Admin Key : 32770
Oper Key : 16386
Physical properties Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
 
Neigh Admin Key : 16386
Neigh Physical Digest : 54 a9 3a 2a 2b 50 65 bb 3c bc 3d bd c2 43 d6 22
 
Info RCV State : Current
Info Periodic Time State : Standby
Total Bandwidth : 40g
Mlag Sync : IN_SYNC
Mlag Mode : Active-Active
Mlag State : UP
 
TOR1#