DHCP-Snooping, ARP validation with port specific tags.

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

Hi,

I have a case where i can't get DHCP-Snooping with ARP validation
working when using port specific tags.

In my homelab i've used the following settings (which work):
- DHCP server on port 6.
- Client on port 10.
* config lines:
configure trusted-port 6 trust-for dhcp-server
enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet

In my real life scenario things are a little different (this doens't work):
- DHCP server behind a different switch (uplinked to port 15).
- Multiple vlans behind port 16 (port specific tag).
* config lines:
create vlan "Test"
configure vlan Test tag 9
disable igmp snooping vlan "Test"
configure vlan Test add ports 15 tagged
configure vlan Test add ports 16 tagged 10
configure vlan Test add ports 16 tagged 11
configure trusted-port 15 trust-for dhcp-server
enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet

#
command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.

command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
does not give an error but just doesn't seem to do anything

Does anybody know if this is possible while using port specific tags?

Photo of dilu

dilu

  • 244 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jason Parker

Jason Parker, Employee

  • 3,018 Points 3k badge 2x thumb
I am not allowed to run the command 

configure vlan Test add ports 16 tagged 10..  because  the options are 
 <cr>            Execute the command  stpd            STP domain
  <stpd_name>     STP domain name
    "s0"

so from what I am seeing 3 different STP domains
Default (cr)
10
11

I would use the same config from the real life scenario on the test switch and retest
Jason
Photo of dilu

dilu

  • 244 Points 100 badge 2x thumb

I don't understand you.

I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).

"configure trusted-port 15 trust-for dhcp-server" also isn't a problem.

I have problems with these two:
1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet


Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,998 Points 5k badge 2x thumb
Port-Specific VLAN Tag is supported on the following platforms:
• Summit X460-G2 (supported from ExtremeXOS 15.6)
• Summit X670-G2 (supported from ExtremeXOS 15.6)
• Summit X770

May be this command is not available in versions lower than 15.6 EXOS .

Dilu could you share the "show switch" output so that i can check this in background and get back to you on the below error?

ERROR: Port 16 does not belong to vlan Test.