ARP Validation Question

  • 0
  • 1
  • Question
  • Updated 4 days ago
I am attempting to configure dhcp-snooping with arp validation on a lab X450e-24p.  DHCP snooping seems to work fine, I configure a trusted port (24) where the DHCP server is reached off of.

When I configure arp validation, I begin to get errors related to the default gateway of the network.

An ARP violation was detected on vlan <VLAN> port 24 violating IP <IP> violating MAC <MAC> violation type Invalid IP-MAC Binding

I'm presuming this is because the gateway does not DHCP so a binding is never learned.  Is the solution to this to create a static entry with this command:

"configure ip-security dhcp-bindings add"
Am I thinking of this correctly, is there any other technique?
Photo of Brian Berginz

Brian Berginz

  • 90 Points 75 badge 2x thumb

Posted 1 week ago

  • 0
  • 1
Photo of Leviodjos

Leviodjos

  • 134 Points 100 badge 2x thumb

From the documentation: If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.

I think is may be that a trusted dhcp server is not set in the configuration. The switch or router ne to trust a server or a port that responds to the dhcp requests.

Example: configure trusted-servers vlan120 add server ip_address trust-for dhcp-server

Could please show us the ip-security dhcp-snooping configuration so that we can have more info to t-shoot the issue?

Thank you! 

Photo of Brian Berginz

Brian Berginz

  • 90 Points 75 badge 2x thumb
Here is the DHCP snooping config:

enable ip-security dhcp-snooping vlan V1001 port all violation-action drop-packet
configure trusted-ports 24 trust-for dhcp-server

Here is the arp validation config:

enable ip-security arp validation "V1001" ports all violation-action drop-packet
Photo of Leviodjos

Leviodjos

  • 134 Points 100 badge 2x thumb

I think that it is not a good idea to set arp vialadation on the uplink (port 24). My thought is that the uplink will bind the first MAC-IP add and the other will be seen as a violation. Since there are many MAC passing through ( sh fdb port 24), the switch sees it as violations and will block the port.

The arp validation should be on the edge (user) side of the siwtch. The witch will learn the MAC from the edge ports and will bind it with the IP add, then save it in arp table. So any other MAC entry will be a violation.


Photo of Brian Berginz

Brian Berginz

  • 90 Points 75 badge 2x thumb
Thanks for the reply, I did some reading and noticed other vendors have a 'arp validation trust port' config, so I think you're right, the thing to do is to not configure arp validation on the uplink port.