DHCP-Snooping, ARP validation with port specific tags.


Hi,

I have a case where i can't get DHCP-Snooping with ARP validation
working when using port specific tags.

In my homelab i've used the following settings (which work):
- DHCP server on port 6.
- Client on port 10.
* config lines:
configure trusted-port 6 trust-for dhcp-server
enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet

In my real life scenario things are a little different (this doens't work):
- DHCP server behind a different switch (uplinked to port 15).
- Multiple vlans behind port 16 (port specific tag).
* config lines:
create vlan "Test"
configure vlan Test tag 9
disable igmp snooping vlan "Test"
configure vlan Test add ports 15 tagged
configure vlan Test add ports 16 tagged 10
configure vlan Test add ports 16 tagged 11
configure trusted-port 15 trust-for dhcp-server
enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet

#
command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.

command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
does not give an error but just doesn't seem to do anything

Does anybody know if this is possible while using port specific tags?

3 replies

Userlevel 4
I am not allowed to run the command

configure vlan Test add ports 16 tagged 10.. because the options are
Execute the command stpd STP domain
STP domain name
"s0"

so from what I am seeing 3 different STP domains
Default (cr)
10
11

I would use the same config from the real life scenario on the test switch and retest
Jason
Jason Parker wrote:

I am not allowed to run the command

configure vlan Test add ports 16 tagged 10.. because the options are
Execute the command stpd STP domain
STP domain name
"s0"

so from what I am seeing 3 different STP domains
Default (cr)
10
11

I would use the same config from the real life scenario on the test switch and retest
Jason

I don't understand you.

I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).

"configure trusted-port 15 trust-for dhcp-server" also isn't a problem.

I have problems with these two:
1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet
Userlevel 6
Port-Specific VLAN Tag is supported on the following platforms: • Summit X460-G2 (supported from ExtremeXOS 15.6) • Summit X670-G2 (supported from ExtremeXOS 15.6) • Summit X770 May be this command is not available in versions lower than 15.6 EXOS . Dilu could you share the "show switch" output so that i can check this in background and get back to you on the below error? ERROR: Port 16 does not belong to vlan Test.

Reply