03-27-2024 07:24 AM
We have a very fluid environment when it comes to port to vlan assignment. I see that using the command " enable ip-security dhcp-snooping vlan STUDENT_ITTSTAFF_849 ports all violation-action drop-packet block-port duration 15" enables dhcp-snooping on all currently recognized ports within the STUDENT_ITTSTAFF_849 vlan. We do frequently change port vlan assignments. This process is manually executed.
Is there a way to dynamically add the new port assignment to the new dhcp-snooping vlan?
Is there a method to enable all switch ports to dhcp snooping without vlan considerations.?
thanks in advance,
Solved! Go to Solution.
03-28-2024 09:55 AM - edited 03-28-2024 10:00 AM
Hello!
To answer your questions directly:
"Is there a way to dynamically add the new port assignment to the new dhcp-snooping vlan?"
"Is there a method to enable all switch ports to dhcp snooping without vlan considerations.?"
-> No, unless the VLAN is dynamically created in which case you can use the dynamic VLAN commands linked below.
-> You can potentially script this configuration via UPM, but that is outside the scope of GTAC support. Your account team may be able to help with this, though.
It sounds like you're running into a limitation of how EXOS can configure DHCP-Snooping.
There are generally 2 ways to configure DHCP Snooping:
1) Statically Created VLANs
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000080865
Statically created VLANs are created by the CLI command 'create vlan <NAME> tag <#>'.
In order to configure DHCP snooping for statically created VLANs, the VLAN must be assigned to the relevant port at the time of enabling DHCP-Snooping.
If the relevant VLAN is ever removed from the port, the DHCP snooping configuration for that port is lost.
2) Dynamically Created VLANs
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000075129
Dynamically created VLANs are those not created by a 'create vlan' command.
You can enable DHCP snooping for all dynamically created VLANs on all ports without any dynamic VLAN actually created or applied to any ports. Note that this configuration will apply to ALL dynamically created/assigned VLANs on relevant ports, you cannot pick specific VLANs. This configuration applies to all current and future dynamically created VLANs.
---
It sounds like you may have statically created VLANs that are dynamically assigned. In this case, you can configure DHCP snooping for statically created VLANs, but that configuration is lost as soon as the VLAN is dynamically removed from the port.
To get around this, you have a couple of options:
1) Make all dynamically assigned VLANs also dynamically created VLANs. This would imply that you 'delete' any VLAN that was statically created and let dynamic features create and assign these VLANs in entirety. This may be an issue when you get to your uplink port as you are likely not using dynamic VLAN assignment for the uplink port. If using Policy, you can potentially get around this by using policy 'admin rules' which basically state that the uplink port will always be assigned to a relevant policy profile that can do the dynamic creation and assignment of VLANs for you.
2) Create some script that automatically adds DHCP-Snooping configuration to ports as VLANs are dynamically assigned. You can potentially do this via the UPM feature on the switch but note that creating such a script would be outside the scope of GTAC support, so if you run into any issues with your script, GTAC will be unable to assist you.
3) Otherwise, I would recommend creating a feature request to allow for DHCP-Snooping configuration for statically created by dynamically assigned VLANs to get around this behavior.
Hopefully that makes sense and helps you with your configuration!
4 weeks ago
Is a TLC script possible naming the vlans using wildcards such as Employee_* or Student_* to define the vlan to set all ports to snooping. Example of a vlan would be "Student_4277 or Employee_4311
4 weeks ago
How about using ONEPolicy instead of DHCP snooping? Example below is a simple policy with default action allow (without defined VLAN) and one deny role for udp source port 67:
configure policy profile 1 name "End user" pvid-status "enable" pvid 4095
configure policy rule 1 udpsourceportIP 67 mask 16 drop
Just assign this policy statically to every port:
configure policy rule admin-profile port port_number mask 16 port-string port_number admin-pid 1
And then you can change VLANs as you like.
03-28-2024 09:55 AM - edited 03-28-2024 10:00 AM
Hello!
To answer your questions directly:
"Is there a way to dynamically add the new port assignment to the new dhcp-snooping vlan?"
"Is there a method to enable all switch ports to dhcp snooping without vlan considerations.?"
-> No, unless the VLAN is dynamically created in which case you can use the dynamic VLAN commands linked below.
-> You can potentially script this configuration via UPM, but that is outside the scope of GTAC support. Your account team may be able to help with this, though.
It sounds like you're running into a limitation of how EXOS can configure DHCP-Snooping.
There are generally 2 ways to configure DHCP Snooping:
1) Statically Created VLANs
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000080865
Statically created VLANs are created by the CLI command 'create vlan <NAME> tag <#>'.
In order to configure DHCP snooping for statically created VLANs, the VLAN must be assigned to the relevant port at the time of enabling DHCP-Snooping.
If the relevant VLAN is ever removed from the port, the DHCP snooping configuration for that port is lost.
2) Dynamically Created VLANs
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000075129
Dynamically created VLANs are those not created by a 'create vlan' command.
You can enable DHCP snooping for all dynamically created VLANs on all ports without any dynamic VLAN actually created or applied to any ports. Note that this configuration will apply to ALL dynamically created/assigned VLANs on relevant ports, you cannot pick specific VLANs. This configuration applies to all current and future dynamically created VLANs.
---
It sounds like you may have statically created VLANs that are dynamically assigned. In this case, you can configure DHCP snooping for statically created VLANs, but that configuration is lost as soon as the VLAN is dynamically removed from the port.
To get around this, you have a couple of options:
1) Make all dynamically assigned VLANs also dynamically created VLANs. This would imply that you 'delete' any VLAN that was statically created and let dynamic features create and assign these VLANs in entirety. This may be an issue when you get to your uplink port as you are likely not using dynamic VLAN assignment for the uplink port. If using Policy, you can potentially get around this by using policy 'admin rules' which basically state that the uplink port will always be assigned to a relevant policy profile that can do the dynamic creation and assignment of VLANs for you.
2) Create some script that automatically adds DHCP-Snooping configuration to ports as VLANs are dynamically assigned. You can potentially do this via the UPM feature on the switch but note that creating such a script would be outside the scope of GTAC support, so if you run into any issues with your script, GTAC will be unable to assist you.
3) Otherwise, I would recommend creating a feature request to allow for DHCP-Snooping configuration for statically created by dynamically assigned VLANs to get around this behavior.
Hopefully that makes sense and helps you with your configuration!