Configuring IP Source Guard on LAG Port

OcNOS-RON-6.3.1 : System Management Guide : System Management Configuration Guide : DHCP Snooping IP Source Guard : Configuring IP Source Guard on LAG Port

In this example, the LAG port (sa2) is created, then physical interfaces are added.

#configure terminal	Enter the configure mode
(config)#bridge 1 protocol ieee vlan-bridge	Create IEEE VLAN bridge 1.
(config)#vlan 2 bridge 1 state enable	Create VLAN 2.
(config)#ip dhcp snooping bridge 1	Configure DHCP snooping for bridge 1
(config)#ip dhcp snooping information option bridge 1	Configure DHCP snooping information option 82
(config)#ip dhcp snooping ratelimit 0 bridge 1	Configure DHCP snooping ratelimit. Default value is 100
(config)#ip dhcp snooping vlan 2 bridge 1	Configure DHCP snooping for vlan 2 for bridge 1
(config)#ip dhcp snooping verify mac-address bridge 1	Configure DHCP snooping verify mac-address
(config)#interface sa2	Enter Interface Mode
switchport	Configure the interface as Layer 2
bridge-group 1	Associate the interface with bridge group 1.
(config-if)#ip verify source dhcp-snooping-vlan	Configuring IP source guard at Interface level and configured on the interface which is connected to client side
(config-if)#ip verify source access-group mode merge	Merge IPSG policy with other ACL
(config-if)#exit	Exit interface mode
(config)#interface xe2	Enter Interface Mode
(config-if)#switchport	Configure the interface as Layer 2
(config-if)#bridge-group 1	Associate the interface with bridge group 1.
(config-if)#switchport mode access	Set the Layer2 interface as Access. (It can be Trunk mode also)
(config-if)#switchport access vlan 2	Set the default VLAN for the interface
(config-if)#ip dhcp snooping trust	Configuring the interface as Trust. Basically this is configured on the interface which is connected to Server Side.
(config-if)#exit	Exit interface mode.
(config)#interface xe1	Enter Interface Mode
(config-if)#switchport	Configure the interface as Layer 2
(config-if)#bridge-group 1	Associate the interface with bridge group 1.
(config-if)#switchport mode access	Set the Layer2 interface as Access. (It can be Trunk mode also)
(config-if)#switchport access vlan 2	Set the default VLAN for the interface
(config-if)#static-channel-group 2	Configure Static Channel lag on the interface
(config-if)#exit	Exit interface mode
(config)#ip dhcp snooping binding bridge 1 0011.1111.2222 2 ipv4 1.1.1.1 sa2	Configure Ipv4 Static Entry For DHCP snooping with MAC address and Source Address for lag interface and vlan configured
(config)#ip dhcp snooping binding bridge 1 0022.2222.3333 2 ipv6 3ffe::1 sa2	Configure Ipv6 Static Entry For DHCP snooping with MAC address and Source Address for lag interface and vlan configured
(config)#exit	Exit config mode
#clear ip dhcp snooping binding bridge 1	Clear DHCP binding tables which are learned dynamically

Validation

Verify that DHCP snooping is enabled on the bridge with the static LAG interface:

#sh ip dhcp snooping bridge 1

Bridge Group : 1

DHCP snooping is : Enabled

DHCP snooping option82 is : Enabled

Verification of hwaddr field is : Enabled

Rate limit(pps) : 0

DHCP snooping is configured on following VLANs : 2

DHCP snooping is operational on following VLANs : 2

DHCP snooping trust is configured on the following Interfaces

Interface Trusted

--------------- -------

Xe2 Yes

DHCP snooping IP Source Guard is configured on the following Interfaces

Interface Source Guard

--------------- ------------

sa2 Yes

Verify that static DHCP snooping or source guard entries are configured for the bridge with the LAG interface:

#sh ip dhcp snooping binding bridge 1

Total number of static IPV4 entries : 1

Total number of dynamic IPV4 entries : 0

Total number of static IPV6 entries : 1

Total number of dynamic IPV6 entries : 0

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- ------------------

0011.1111.2222 1.1.1.1 0 static 2 sa2

0022.2222.3333 3ffe::1 0 static 2 sa2

Last modified date: 07-14-2023