This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DHCP-Snooping, ARP validation with port specific tags.

DHCP-Snooping, ARP validation with port specific tags.

dilu
New Contributor II

‎11-07-2016 02:46 PM

Hi,

I have a case where i can't get DHCP-Snooping with ARP validation
working when using port specific tags.

In my homelab i've used the following settings (which work):
- DHCP server on port 6.
- Client on port 10.
* config lines:
configure trusted-port 6 trust-for dhcp-server
enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet

In my real life scenario things are a little different (this doens't work):
- DHCP server behind a different switch (uplinked to port 15).
- Multiple vlans behind port 16 (port specific tag).
* config lines:
create vlan "Test"
configure vlan Test tag 9
disable igmp snooping vlan "Test"
configure vlan Test add ports 15 tagged
configure vlan Test add ports 16 tagged 10
configure vlan Test add ports 16 tagged 11
configure trusted-port 15 trust-for dhcp-server
enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet

#
command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.

command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
does not give an error but just doesn't seem to do anything

Does anybody know if this is possible while using port specific tags?

0 Kudos
3 REPLIES 3

Karthik_Mohando
Extreme Employee

‎11-30-2016 02:51 AM

Port-Specific VLAN Tag is supported on the following platforms: • Summit X460-G2 (supported from ExtremeXOS 15.6) • Summit X670-G2 (supported from ExtremeXOS 15.6) • Summit X770 May be this command is not available in versions lower than 15.6 EXOS . Dilu could you share the "show switch" output so that i can check this in background and get back to you on the below error? ERROR: Port 16 does not belong to vlan Test.
0 Kudos

Jason_Parker
Contributor

‎11-07-2016 03:21 PM

I am not allowed to run the command

configure vlan Test add ports 16 tagged 10.. because the options are
Execute the command stpd STP domain
STP domain name
"s0"

so from what I am seeing 3 different STP domains
Default (cr)
10
11

I would use the same config from the real life scenario on the test switch and retest
Jason
0 Kudos

dilu
New Contributor II
In response to Jason_Parker

‎11-07-2016 03:21 PM

I don't understand you.

I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).

"configure trusted-port 15 trust-for dhcp-server" also isn't a problem.

I have problems with these two:
1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet

0 Kudos
GTM-P2G8KFN