topic ARP Validation Question in ExtremeSwitching (EXOS/Switch Engine)

ARP Validation Question

B_ — Fri, 13 Jul 2018 23:51:00 GMT

I am attempting to configure dhcp-snooping with arp validation on a lab X450e-24p. DHCP snooping seems to work fine, I configure a trusted port (24) where the DHCP server is reached off of.

When I configure arp validation, I begin to get errors related to the default gateway of the network.

An ARP violation was detected on vlan port 24 violating IP violating MAC violation type Invalid IP-MAC Binding

I'm presuming this is because the gateway does not DHCP so a binding is never learned. Is the solution to this to create a static entry with this command:

"configure ip-security dhcp-bindings add"
Am I thinking of this correctly, is there any other technique?

RE: ARP Validation Question

Leviodjos — Mon, 16 Jul 2018 18:42:00 GMT

From the documentation: If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.

I think is may be that a trusted dhcp server is not set in the configuration. The switch or router ne to trust a server or a port that responds to the dhcp requests.

Example: configure trusted-servers vlan120 add server ip_address trust-for dhcp-server

Could please show us the ip-security dhcp-snooping configuration so that we can have more info to t-shoot the issue?

Thank you!

RE: ARP Validation Question

B_ — Mon, 16 Jul 2018 21:00:00 GMT

Here is the DHCP snooping config:

enable ip-security dhcp-snooping vlan V1001 port all violation-action drop-packet
configure trusted-ports 24 trust-for dhcp-server

Here is the arp validation config:

enable ip-security arp validation "V1001" ports all violation-action drop-packet

RE: ARP Validation Question

Leviodjos — Tue, 17 Jul 2018 00:43:00 GMT

I think that it is not a good idea to set arp vialadation on the uplink (port 24). My thought is that the uplink will bind the first MAC-IP add and the other will be seen as a violation. Since there are many MAC passing through ( sh fdb port 24), the switch sees it as violations and will block the port.

The arp validation should be on the edge (user) side of the siwtch. The witch will learn the MAC from the edge ports and will bind it with the IP add, then save it in arp table. So any other MAC entry will be a violation.

RE: ARP Validation Question

B_ — Wed, 18 Jul 2018 21:43:00 GMT

Thanks for the reply, I did some reading and noticed other vendors have a 'arp validation trust port' config, so I think you're right, the thing to do is to not configure arp validation on the uplink port.

RE: ARP Validation Question

Keith9 — Thu, 11 Feb 2021 04:49:00 GMT

I hate bringing up an old topic but if you have some devices that are static IP, lets say Printers for example, would you just not configure it on those switchports? Obv if pc’s and phones DHCP that makes sense.

Yeah in the Cisco world there was ip arp-inspection trust command. Here it sounds like you just dont configure it.