ExtremeSwitching (EXOS)

Expand all | Collapse all

ARP Validation Question

  • 1.  ARP Validation Question

    Posted 07-13-2018 16:51
    I am attempting to configure dhcp-snooping with arp validation on a lab X450e-24p. DHCP snooping seems to work fine, I configure a trusted port (24) where the DHCP server is reached off of.

    When I configure arp validation, I begin to get errors related to the default gateway of the network.

    An ARP violation was detected on vlan


  • 2.  RE: ARP Validation Question

    Posted 07-16-2018 11:42
    From the documentation: If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.

    I think is may be that a trusted dhcp server is not set in the configuration. The switch or router ne to trust a server or a port that responds to the dhcp requests.

    Example: configure trusted-servers vlan120 add server ip_address trust-for dhcp-server

    Could please show us the ip-security dhcp-snooping configuration so that we can have more info to t-shoot the issue?

    Thank you!



  • 3.  RE: ARP Validation Question

    Posted 07-16-2018 14:00
    Here is the DHCP snooping config:

    enable ip-security dhcp-snooping vlan V1001 port all violation-action drop-packet
    configure trusted-ports 24 trust-for dhcp-server

    Here is the arp validation config:

    enable ip-security arp validation "V1001" ports all violation-action drop-packet



  • 4.  RE: ARP Validation Question

    Posted 07-16-2018 17:43
    I think that it is not a good idea to set arp vialadation on the uplink (port 24). My thought is that the uplink will bind the first MAC-IP add and the other will be seen as a violation. Since there are many MAC passing through ( sh fdb port 24), the switch sees it as violations and will block the port.

    The arp validation should be on the edge (user) side of the siwtch. The witch will learn the MAC from the edge ports and will bind it with the IP add, then save it in arp table. So any other MAC entry will be a violation.



  • 5.  RE: ARP Validation Question

    Posted 07-18-2018 14:43
    Thanks for the reply, I did some reading and noticed other vendors have a 'arp validation trust port' config, so I think you're right, the thing to do is to not configure arp validation on the uplink port.


  • 6.  RE: ARP Validation Question

    Posted 02-10-2021 20:49

    I hate bringing up an old topic but if you have some devices that are static IP, lets say Printers for example, would you just not configure it on those switchports?  Obv if pc’s and phones DHCP that makes sense.

     

    Yeah in the Cisco world there was ip arp-inspection trust command.  Here it sounds like you just dont configure it.