Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
Junos OS supports two different styles of configuration for switch interfaces: service provider style and enterprise style. The service provider style requires more configuration but provides greater flexibility. The enterprise style is easier to configure but offers less functionality.
With the enterprise style of configuration, logical interfaces are placed into Layer 2 mode by specifying ethernet-switching as the interface family. The ethernet-switching option can only be configured on a single logical unit, unit 0. You cannot bind a VLAN ID to unit 0, because these interfaces operate either in trunk mode, which supports traffic with various VLAN tags, or in access mode, which supports untagged traffic.
Some switching features, such as Q-in-Q tunneling, cannot be configured on logical interface unit 0. Q-in-Q tunneling requires the logical interface to transmit VLAN-tagged frames. To enable a logical interface to receive and forward VLAN-tagged Ethernet frames, you must bind the logical interface to that VLAN. Because the enterprise style does not allow binding of a VLAN ID to unit 0, you must use the service provider style to configure Q-in-Q tunneling.
To support DHCP security along with Q-in-Q tunneling, you can configure the following DHCP security features using the service provider style:
- DHCP snooping (DHCPv4 and DHCPv6)
- Dynamic ARP inspection
- Neighbor discovery inspection
- DHCP option 82
- DHCPv6 option 18 and option 37
- Lightweight DHCPv6 relay agent
You can combine the service provider and enterprise styles of configuration on the same physical interface using flexible Ethernet services encapsulation. With flexible Ethernet services encapsulation, you can configure encapsulations at the logical interface level instead of at the physical interface level. Defining multiple per-unit Ethernet encapsulations makes it easier to customize Ethernet-based services to multiple hosts connected to the same physical interface. For more information, see Flexible Ethernet Services Encapsulation .
EX4300 switches do not support configuration of service provider style and enterprise style on the same physical interface.
Example: DHCP Security and Q-in-Q Tunneling with Service Provider Style Configuration
When configuring a physical interface to support only the service provider style,
configure the extended-vlan-bridge
encapsulation type to
support bridging features. You must also configure native VLAN tagging on the
physical interface so that it can operate in trunk mode and transmit Ethernet
frames with VLAN tags for multiple VLANs. Configure flexible VLAN tagging on the
interface to transmit packets with 802.1Q VLAN single-tagged and dual-tagged
frames.
The following example configuration encapsulates physical interface ge-0/0/11 for service provider configuration and defines logical unit 111. VLAN ID v111 is bound to unit 111, and Q-in-Q tunneling is configured on logical interface ge-0/0/11.111. The configuration enables DHCP snooping, dynamic ARP inspection, and DHCP option 82 on VLAN v111.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation extended-vlan-bridge set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical
Example: DHCP Security and Q-in-Q Tunneling with Flexible Ethernet Services Encapsulation
The flexible Ethernet services encapsulation type enables a physical interface to
support both styles of configuration. To support the service provider style,
flexible Ethernet services allows for encapsulations to be configured at the
logical interface level instead of the physical interface. To support the
enterprise style, flexible Ethernet services allows the
ethernet-switching
family to be configured on any logical
interface unit number.
The following example configuration encapsulates physical interface ge-0/0/11
with flexible-ethernet-services
to support service provider and
enterprise style configurations. Two logical units are defined on the physical
interface: unit 111 for service provider style, and unit 0 for enterprise style.
The vlan-bridge
encapsulation enables bridging features on unit
111, and the ethernet-switching
family enables bridging
features on unit 0. Q-in-Q tunneling is configured on logical interface
ge-0/0/11.111.
VLAN v111 is bound to unit 111 and has the following DHCP security features:
- DHCP snooping with option 82 and trusted override
- Dynamic ARP inspection
VLAN EP_v222 is bound to unit 0 and has the following DHCP security features:
- DHCP snooping with option 82
- Dynamic ARP inspection
- Neighbor discovery inspection
Interfaces with service provider style configuration are untrusted by default for DHCP. On interfaces with enterprise style configuration, access interfaces are untrusted and trunk interfaces are trusted.
set interfaces ge-0/0/11 flexible-vlan-tagging set interfaces ge-0/0/11 native-vlan-id 112 set interfaces ge-0/0/11 encapsulation flexible-ethernet-services set interfaces ge-0/0/11 input-native-vlan-push enable set interfaces ge-0/0/11 unit 111 encapsulation vlan-bridge set interfaces ge-0/0/11 unit 111 vlan-id-list 111-112 set interfaces ge-0/0/11 unit 111 input-vlan-map push set interfaces ge-0/0/11 unit 111 output-vlan-map pop set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members EP_V222 set vlans V111 interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security group TRUSTED overrides trusted set vlans V111 forwarding-options dhcp-security group TRUSTED interface ge-0/0/11.111 set vlans V111 forwarding-options dhcp-security arp-inspection set vlans V111 forwarding-options dhcp-security option-82 remote-id use-interface-description logical set vlans EP_V222 vlan-id 222 set vlans EP_V222 forwarding-options dhcp-security arp-inspection set vlans EP_V222 forwarding-options dhcp-security neighbor-discovery-inspection set vlans EP_V222 forwarding-options dhcp-security option-82 remote-id use-interface-description logical