beautypg.com

Dhcp snooping configuration example, Multi-vrf support – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 341

background image

DHCP snooping configuration example

The following example configures VLAN 2 and VLAN 20, and changes the CLI to the global
configuration level to enable DHCP snooping on the two VLANs. The commands are as follows.

device(config)#vlan 2

device(config-vlan-2)#untagged ethe 1/3 to 1/4

device(config-vlan-2)#router-interface ve 2

device(config-vlan-2)#exit

device(config)#ip dhcp snooping vlan 2

device(config)#vlan 20

device(config-vlan-20)#untagged ethe 1/1 to 1/2

device(config-vlan-20)#router-interface ve 20

device(config-vlan-20)#exit

device(config)#ip dhcp snooping vlan 20

On VLAN 2, client ports 1/3 and 1/4 are untrusted by default all client ports are untrusted. Hence, only
DHCP client request packets received on ports 1/3 and 1/4 are forwarded.

On VLAN 20, ports 1/1 and 1/2 are connected to a DHCP server. DHCP server ports are set to trusted.

device(config)#interface ethernet 1/1

device(config-if-e10000-1/1)#dhcp snooping trust

device(config-if-e10000-1/1)#exit

device(config)#interface ethernet 1/2

device(config-if-e10000-1/2)#dhcp snooping trust

device(config-if-e10000-1/2)#exit

Hence, DHCP server reply packets received on ports 1/1 and 1/2 are forwarded, and client IP/MAC
binding information is collected.

The example also sets the DHCP server address for the local relay agent.

device(config)#interface ve 2

device(config-vif-2)#ip address 10.20.20.1/24

device(config-vif-2)#ip helper-address 1 10.30.30.4

device(config-vif-2)#interface ve 20

device(config-vif-20)#ip address 10.30.30.1/24

Multi-VRF support

NOTE
For VRF related configurations and changes, see FastIron Ethernet Switch Layer 3 Routing
Configuration Guide .

DHCP supports Multi-VRF (Virtual Routing and Forwarding) instances. You can deploy multiple VRFs
on a Brocade Ethernet switch. Each VLAN having a Virtual Interface (VE) is assigned to a VRF.

You can enable DHCP snooping on individual VLANs and assign any interface as the DHCP trust
interface. If an interface is a tagged port in this VLAN, you can turn on the trust port per VRF, so that
traffic intended for other VRF VLANs will not be trusted.

To configure DHCP IPv4 snooping to support a Multi-VRF instance, do the following:

• DHCP IPv4 snooping requires that the acl-per-port-per-vlan setting be enabled. To enable the

setting:

Brocade(config)# enable acl-per-port-per-vlan

Reload required. Please write memory and then reload or power cycle.

DHCP snooping configuration example

FastIron Ethernet Switch Security Configuration Guide

341

53-1003088-03

See also other documents in the category Brocade Computer Accessories: