ExtremeSwitching (EXOS)

  • 1.  DHCP-Snooping, ARP validation with port specific tags.

    Posted 11-07-2016 14:46
    Hi,

    I have a case where i can't get DHCP-Snooping with ARP validation
    working when using port specific tags.

    In my homelab i've used the following settings (which work):
    - DHCP server on port 6.
    - Client on port 10.
    * config lines:
    configure trusted-port 6 trust-for dhcp-server
    enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
    enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet

    In my real life scenario things are a little different (this doens't work):
    - DHCP server behind a different switch (uplinked to port 15).
    - Multiple vlans behind port 16 (port specific tag).
    * config lines:
    create vlan "Test"
    configure vlan Test tag 9
    disable igmp snooping vlan "Test"
    configure vlan Test add ports 15 tagged
    configure vlan Test add ports 16 tagged 10
    configure vlan Test add ports 16 tagged 11
    configure trusted-port 15 trust-for dhcp-server
    enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
    enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet

    #
    command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.

    command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
    does not give an error but just doesn't seem to do anything

    Does anybody know if this is possible while using port specific tags?



  • 2.  RE: DHCP-Snooping, ARP validation with port specific tags.

    Posted 11-07-2016 15:21
    I am not allowed to run the command

    configure vlan Test add ports 16 tagged 10.. because the options are


  • 3.  RE: DHCP-Snooping, ARP validation with port specific tags.

    Posted 11-07-2016 15:21
    I don't understand you.

    I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).

    "configure trusted-port 15 trust-for dhcp-server" also isn't a problem.

    I have problems with these two:
    1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
    2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet



  • 4.  RE: DHCP-Snooping, ARP validation with port specific tags.

    Posted 11-30-2016 02:51
    Port-Specific VLAN Tag is supported on the following platforms: • Summit X460-G2 (supported from ExtremeXOS 15.6) • Summit X670-G2 (supported from ExtremeXOS 15.6) • Summit X770 May be this command is not available in versions lower than 15.6 EXOS . Dilu could you share the "show switch" output so that i can check this in background and get back to you on the below error? ERROR: Port 16 does not belong to vlan Test.