cancel
Showing results for 
Search instead for 
Did you mean: 

ARP Validation Question

ARP Validation Question

B_
New Contributor II
I am attempting to configure dhcp-snooping with arp validation on a lab X450e-24p. DHCP snooping seems to work fine, I configure a trusted port (24) where the DHCP server is reached off of.

When I configure arp validation, I begin to get errors related to the default gateway of the network.

An ARP violation was detected on vlan port 24 violating IP violating MAC violation type Invalid IP-MAC Binding

I'm presuming this is because the gateway does not DHCP so a binding is never learned. Is the solution to this to create a static entry with this command:

"configure ip-security dhcp-bindings add"
Am I thinking of this correctly, is there any other technique?


5 REPLIES 5

Keith9
Contributor III

I hate bringing up an old topic but if you have some devices that are static IP, lets say Printers for example, would you just not configure it on those switchports?  Obv if pc’s and phones DHCP that makes sense.

 

Yeah in the Cisco world there was ip arp-inspection trust command.  Here it sounds like you just dont configure it.

B_
New Contributor II
Thanks for the reply, I did some reading and noticed other vendors have a 'arp validation trust port' config, so I think you're right, the thing to do is to not configure arp validation on the uplink port.

Leviodjos
New Contributor
I think that it is not a good idea to set arp vialadation on the uplink (port 24). My thought is that the uplink will bind the first MAC-IP add and the other will be seen as a violation. Since there are many MAC passing through ( sh fdb port 24), the switch sees it as violations and will block the port.

The arp validation should be on the edge (user) side of the siwtch. The witch will learn the MAC from the edge ports and will bind it with the IP add, then save it in arp table. So any other MAC entry will be a violation.

B_
New Contributor II
Here is the DHCP snooping config:

enable ip-security dhcp-snooping vlan V1001 port all violation-action drop-packet
configure trusted-ports 24 trust-for dhcp-server

Here is the arp validation config:

enable ip-security arp validation "V1001" ports all violation-action drop-packet

GTM-P2G8KFN