Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Prioritizing Snooped and Inspected Packet

 

On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping and dynamic ARP inspection (DAI) on the same ports through which those critical packets are entering and leaving. You can combine the advantages of both these features by using CoS forwarding classes and queues to prioritize snooped and inspected packets. This type of configuration places the snooped and inspected packets in the desired egress queue, ensuring that the security procedure does not interfere with the transmittal of this high-priority traffic. This is especially important for traffic that is sensitive to jitter and delay, such as voice traffic.

This example shows how to configure the switch to prioritize snooped and inspected packets in heavy network traffic.

Requirements

This example uses the following hardware and software components:

  • One EX Series switch

  • Junos OS Release 11.2 or later for EX Series switches

  • A DHCP server to provide IP addresses to network devices on the switch

Before you specify CoS forwarding classes for snooped and inspected packets, be sure you have:

  • Connected the DHCP server to the switch.

  • Configured the VLAN VLAN200 on the switch. See Configuring VLANs for EX Series Switches.

  • Configured two interfaces, ge-0/0/1 and ge-0/0/8, to belong to VLAN200.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure DHCP snooping to validate DHCP server messages and DAI to protect against MAC spoofing. If you have to deal with periods of heavy network congestion and you want to ensure that sensitive traffic is not disrupted, you can combine the port security features with CoS forwarding classes to prioritize the handling of the snooped and inspected security packets.

In the default switch configuration:

  • Secure port access is activated on the switch.

  • DHCP snooping and DAI are disabled on all VLANs.

  • All access ports are untrusted and all trunk ports are trusted for DHCP snooping.

This example shows how to combine the DHCP snooping and DAI security features with prioritized forwarding of snooped and inspected packets.

The setup for this example includes the VLAN VLAN200 on the switch. Figure 1 illustrates the topology for this example.

Figure 1: Network Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets
Network Topology for Using
CoS Forwarding Classes to Prioritize Snooped and Inspected Packets

The components of the topology for this example are shown in Table 1.

Table 1: Components of the Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets

PropertiesSettings

Switch hardware

EX Series switch

VLAN name

VLAN200

Interfaces in VLAN200

ge-0/0/1,ge-0/0/2,ge-0/0/3,ge-0/0/8

Interface for DHCP server

ge-0/0/8

In the configuration tasks for this example, you create a user-defined forwarding class c1, you enable DHCP snooping and DAI on VLAN200, and you assign the snooped and inspected packets to forwarding class c1 and queue 6. Queues 6 and 7 are reserved for high priority, control packets. The packets that are subjected to DHCP snooping and DAI are control (not data) packets; therefore, it is appropriate to place these snooped and inspected high-priority control packets in queue 6. (Queue 7 is higher priority than queue 6 and can also be used for this purpose.)

Configuration

To configure DHCP snooping and DAI on VLAN200, and to prioritize the snooped and inspected packets:

CLI Quick Configuration

To quickly configure DHCP snooping and DAI with prioritized forwarding of snooped and inspected packets, copy the following commands and paste them into the switch terminal window:

[edit]

set class-of-service forwarding-classes class c1 queue 6

set ethernet-switching-options security-access-port vlan VLAN200 examine-dhcp forwarding-class c1

set ethernet-switching-options security-access-port vlan VLAN200 arp-inspection forwarding-class c1

Step-by-Step Procedure

Configure DHCP and DAI with prioritized forwarding of snooped and inspected packets:

  1. Create a user-defined forwarding class to be used for prioritizing the snooped and inspected packets.
    [edit class-of-service]

    user@switch# set forwarding-classes class c1 queue 6
  2. Enable DHCP snooping on the VLAN and apply forwarding class c1 to the snooped packets:
    [edit ethernet-switching-options secure-access-port]

    user@switch# set vlan VLAN200 examine-dhcp forwarding-class c1
  3. Enable DAI on the VLAN and apply forwarding class c1 to the inspected packets:
    [edit ethernet-switching-options secure-access-port]

    user@switch# set vlan VLAN200 arp-inspection forwarding-class c1

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Prioritized Forwarding Is Working Correctly on the Snooped Packets

Purpose

Verify that prioritized forwarding is working on the DHCP snooped packets.

Action

Send some DHCP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue:

user@switch> show interfaces ge 0/0/1 extensive

Meaning

The command output shows that packets have been transmitted on forwarding class c1 queue 6.

Continue testing by changing the setting of examine-dhcp forwarding-class to use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working correctly by seeing the difference in the number of transmitted packets reported for forwarding class c1 queue 6.

Verifying That Prioritized Forwarding Is Working Correctly on the DAI Inspected Packets

Purpose

Verify that prioritized forwarding is working on the DAI inspected packets.

Action

Send some ARP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue:

user@switch> show interfaces ge-0/0/1 extensive

Meaning

The command output shows that packets have been transmitted on forwarding class c1 queue 6.

Continue testing by changing the setting of arp-inspection forwarding-class to use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working correctly by seeing the difference in the number of transmitted packets reported for forwarding class c1 queue 6.