DHCP-Snooping, ARP validation with port specific tags.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 02:46 PM
Hi,
I have a case where i can't get DHCP-Snooping with ARP validation
working when using port specific tags.
In my homelab i've used the following settings (which work):
- DHCP server on port 6.
- Client on port 10.
* config lines:
configure trusted-port 6 trust-for dhcp-server
enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet
In my real life scenario things are a little different (this doens't work):
- DHCP server behind a different switch (uplinked to port 15).
- Multiple vlans behind port 16 (port specific tag).
* config lines:
create vlan "Test"
configure vlan Test tag 9
disable igmp snooping vlan "Test"
configure vlan Test add ports 15 tagged
configure vlan Test add ports 16 tagged 10
configure vlan Test add ports 16 tagged 11
configure trusted-port 15 trust-for dhcp-server
enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet
#
command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.
command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
does not give an error but just doesn't seem to do anything
Does anybody know if this is possible while using port specific tags?
I have a case where i can't get DHCP-Snooping with ARP validation
working when using port specific tags.
In my homelab i've used the following settings (which work):
- DHCP server on port 6.
- Client on port 10.
* config lines:
configure trusted-port 6 trust-for dhcp-server
enable ip-security dhcp-snooping "Default" ports 6,10 violation-action drop-packet
enable ip-security arp validation vlan "Default" ports 10 violation-action drop-packet
In my real life scenario things are a little different (this doens't work):
- DHCP server behind a different switch (uplinked to port 15).
- Multiple vlans behind port 16 (port specific tag).
* config lines:
create vlan "Test"
configure vlan Test tag 9
disable igmp snooping vlan "Test"
configure vlan Test add ports 15 tagged
configure vlan Test add ports 16 tagged 10
configure vlan Test add ports 16 tagged 11
configure trusted-port 15 trust-for dhcp-server
enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet
#
command "enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet" gives an error: ERROR: Port 16 does not belong to vlan Test.
command" enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet"
does not give an error but just doesn't seem to do anything
Does anybody know if this is possible while using port specific tags?
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-30-2016 02:51 AM
Port-Specific VLAN Tag is supported on the following platforms: • Summit X460-G2 (supported from ExtremeXOS 15.6) • Summit X670-G2 (supported from ExtremeXOS 15.6) • Summit X770 May be this command is not available in versions lower than 15.6 EXOS . Dilu could you share the "show switch" output so that i can check this in background and get back to you on the below error? ERROR: Port 16 does not belong to vlan Test.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 03:21 PM
I am not allowed to run the command
configure vlan Test add ports 16 tagged 10.. because the options are
Execute the command stpd STP domain
STP domain name
"s0"
so from what I am seeing 3 different STP domains
Default (cr)
10
11
I would use the same config from the real life scenario on the test switch and retest
Jason
configure vlan Test add ports 16 tagged 10.. because the options are
"s0"
so from what I am seeing 3 different STP domains
Default (cr)
10
11
I would use the same config from the real life scenario on the test switch and retest
Jason
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 03:21 PM
I don't understand you.
I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).
"configure trusted-port 15 trust-for dhcp-server" also isn't a problem.
I have problems with these two:
1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet
I can run command "configure vlan Test add ports 16 tagged 10" fine that is not the problem. (it also works as expected).
"configure trusted-port 15 trust-for dhcp-server" also isn't a problem.
I have problems with these two:
1: enable ip-security dhcp-snooping "Test" ports 15,16 violation-action drop-packet
2: enable ip-security arp validation vlan "Test" ports 16 violation-action drop-packet
