https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88738#M170 <P>Hello Community,</P><P>I was wondering about the appropriate way to configure ARP Validation in an Extreme Access Control Environment with dynamically assigned VLANs.</P><P>From what I have found so far, you have to configure ARP Validation per vlan and port. This is not possible if the vlan, which should later be dynamically assigned to the port, is not statically configured on the port:</P><P>* EXOS-VM.2 # enable ip-security dhcp-snooping vlan red ports 1 violation-action drop-packet block-mac duration 300 snmp-trap</P><P>ERROR: Port 1 does not belong to vlan red.</P><P>* EXOS-VM.4 # enable ip-security arp validation vlan red ports 1 violation-action drop-packet snmp-trap</P><P>ERROR: Port 1 does not belong to vlan red.</P><P>I have seen that in XOS 30.2 a Dynamic VLAN and VLAN ID option has been added. I assume this option is only for VLANs created in a Fabric Connect environment and not for dynamically assigned VLANs based on an Authentication. Is my assumption correct?</P><P>I know that IP-Security Features apply after the Authentication takes place. What I would not want to do is an implementation with a port macro - if this is even possible.</P><P>Could someone please help me?</P><P>Kind regards</P><P>Michael</P> Tue, 19 Nov 2019 21:02:35 GMT Michael_Eisensc 2019-11-19T21:02:35Z https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88738#M170 <P>Hello Community,</P><P>I was wondering about the appropriate way to configure ARP Validation in an Extreme Access Control Environment with dynamically assigned VLANs.</P><P>From what I have found so far, you have to configure ARP Validation per vlan and port. This is not possible if the vlan, which should later be dynamically assigned to the port, is not statically configured on the port:</P><P>* EXOS-VM.2 # enable ip-security dhcp-snooping vlan red ports 1 violation-action drop-packet block-mac duration 300 snmp-trap</P><P>ERROR: Port 1 does not belong to vlan red.</P><P>* EXOS-VM.4 # enable ip-security arp validation vlan red ports 1 violation-action drop-packet snmp-trap</P><P>ERROR: Port 1 does not belong to vlan red.</P><P>I have seen that in XOS 30.2 a Dynamic VLAN and VLAN ID option has been added. I assume this option is only for VLANs created in a Fabric Connect environment and not for dynamically assigned VLANs based on an Authentication. Is my assumption correct?</P><P>I know that IP-Security Features apply after the Authentication takes place. What I would not want to do is an implementation with a port macro - if this is even possible.</P><P>Could someone please help me?</P><P>Kind regards</P><P>Michael</P> Tue, 19 Nov 2019 21:02:35 GMT https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88738#M170 Michael_Eisensc 2019-11-19T21:02:35Z https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88739#M171 <P>I'd be interested to know this too.</P> Wed, 05 May 2021 22:21:50 GMT https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88739#M171 jeronimo 2021-05-05T22:21:50Z https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88740#M172 <P>You enable&nbsp;dynamic ARP&nbsp;inspection on a per-VLAN&nbsp;basis by using the ip&nbsp;arp&nbsp;inspection&nbsp;vlan vlan-range global configuration command. In non-DHCP environments,&nbsp;dynamic ARP&nbsp;inspection can&nbsp;validate ARP&nbsp;packets against user-configured&nbsp;ARP&nbsp;access control lists (ACLs) for hosts with statically configured IP addresses.</P> Thu, 13 May 2021 13:08:03 GMT https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88740#M172 Pullin1458 2021-05-13T13:08:03Z https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88741#M173 <P>You enable&nbsp;dynamic ARP&nbsp;inspection on a per-VLAN&nbsp;basis by using the ip&nbsp;arp&nbsp;inspection&nbsp;vlan vlan-range global configuration command. In non-DHCP environments,&nbsp;dynamic ARP&nbsp;inspection can&nbsp;validate ARP&nbsp;packets against user-configured&nbsp;ARP&nbsp;access control lists (ACLs) for hosts with statically configured IP addresses.</P><P>&nbsp;</P> Fri, 14 May 2021 14:19:47 GMT https://community.extremenetworks.com/t5/security/arp-validation-with-dynamically-assigned-vlans/m-p/88741#M173 Pullin1458 2021-05-14T14:19:47Z