Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style

Junos OS supports two different styles of configuration for switch interfaces: service provider style and enterprise style. The service provider style requires more configuration but provides greater flexibility. The enterprise style is easier to configure but offers less functionality.

With the enterprise style of configuration, logical interfaces are placed into Layer 2 mode by specifying ethernet-switching as the interface family. The ethernet-switching option can only be configured on a single logical unit, unit 0. You cannot bind a VLAN ID to unit 0, because these interfaces operate either in trunk mode, which supports traffic with various VLAN tags, or in access mode, which supports untagged traffic.

Some switching features, such as Q-in-Q tunneling, cannot be configured on logical interface unit 0. Q-in-Q tunneling requires the logical interface to transmit VLAN-tagged frames. To enable a logical interface to receive and forward VLAN-tagged Ethernet frames, you must bind the logical interface to that VLAN. Because the enterprise style does not allow binding of a VLAN ID to unit 0, you must use the service provider style to configure Q-in-Q tunneling.

To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features using the service provider style:

  • DHCP snooping (DHCPv4 and DHCPv6)
  • Dynamic ARP inspection
  • Neighbor discovery inspection
  • DHCP option 82
  • DHCPv6 option 18 and option 37
  • Lightweight DHCPv6 relay agent

You can combine the service provider and enterprise styles of configuration on the same physical interface using flexible Ethernet services encapsulation. With flexible Ethernet services encapsulation, you can configure encapsulations at the logical interface level instead of at the physical interface level. Defining multiple per-unit Ethernet encapsulations makes it easier to customize Ethernet-based services to multiple hosts connected to the same physical interface. For more information, see Flexible Ethernet Services Encapsulation .

Note:

EX4300 switches do not support configuration of service provider style and enterprise style on the same physical interface.

Example: DHCP Security and Q-in-Q Tunneling with Service Provider Style Configuration

When configuring a physical interface to support only the service provider style, configure the extended-vlan-bridge encapsulation type to support bridging features. You must also configure native VLAN tagging on the physical interface so that it can operate in trunk mode and transmit Ethernet frames with VLAN tags for multiple VLANs. Configure flexible VLAN tagging on the interface to transmit packets with 802.1Q VLAN single-tagged and dual-tagged frames.

The following example configuration encapsulates physical interface ge-0/0/11 for service provider configuration and defines logical unit 111. VLAN ID v111 is bound to unit 111, and Q-in-Q tunneling is configured on logical interface ge-0/0/11.111. The configuration enables DHCP snooping, dynamic ARP inspection, and DHCP option 82 on VLAN v111.

Example: DHCP Security and Q-in-Q Tunneling with Flexible Ethernet Services Encapsulation

The flexible Ethernet services encapsulation type enables a physical interface to support both styles of configuration. To support the service provider style, flexible Ethernet services allows for encapsulations to be configured at the logical interface level instead of the physical interface. To support the enterprise style, flexible Ethernet services allows the ethernet-switching family to be configured on any logical interface unit number.

The following example configuration encapsulates physical interface ge-0/0/11 with flexible-ethernet-services to support service provider and enterprise style configurations. Two logical units are defined on the physical interface: unit 111 for service provider style, and unit 0 for enterprise style. The vlan-bridge encapsulation enables bridging features on unit 111, and the ethernet-switching family enables bridging features on unit 0. Q-in-Q tunneling is configured on logical interface ge-0/0/11.111.

VLAN v111 is bound to unit 111 and has the following DHCP security features:

  • DHCP snooping with option 82 and trusted override
  • Dynamic ARP inspection

VLAN EP_v222 is bound to unit 0 and has the following DHCP security features:

  • DHCP snooping with option 82
  • Dynamic ARP inspection
  • Neighbor discovery inspection
Note:

Interfaces with service provider style configuration are untrusted by default for DHCP. On interfaces with enterprise style configuration, access interfaces are untrusted and trunk interfaces are trusted.