Extreme Networks

Nevermind, I did a disable port 4:25 and then an enable port 4:25

I then saw the voice entry.  Still didn’t see the PC in the VL7 entry so I ran cmd as admin and ran psexec -s \\computername ipconfig /renew and then i checked again and sure enough the entry showed.

The next step I want to do prior to migrating from our Cisco stack to this is test arp inspection.  On Cisco it works hand in hand with the dhcp-snooping.  I want to prevent arp poisoning.  Worked well after we implemented it on Cisco becuase one year a white hat hacker we paid did a pen test and arp spoofed and did a MITM and gave us screen shots and a run down of smb shares he was able to access.  We added the arp spoofing protection and then the next year when they came in to do a pen test, they got nothing.  We definately do not want to lose that functionality moving from Cisco to Extreme.

The last question I have besides tying this into rouge DHCP server protection, ARP inspection and protection is what about static assigned devices such as our printers, monitoring equipment, etc..  Just don’t apply these ip-security commands to those ports?  I guess thats the easy way.  That plus mac security will stop casual insiders from unplugging a printer and connecting in to do an arp spoof (plus they would have to know that we didn’t protect those ports in that way).  In the Cisco side there was an ip bindings command.  A real PITA but it was more secure.  In some areas where they like to play “Musical Chairs” we just trusted those ports.

Ok so its been a day and I still don’t see any entries for voice or data (VL7) vlans on one of the test ports.

Here’s the commands involved for test port 4:25

enable ip-security dhcp-snooping vlan VL7 port 4:25 violation-action drop-packet snmp-trap
enable ip-security dhcp-snooping vlan VOICE port 4:25 violation-action drop-packet snmp-trap
 

and towards the uplink port on the switch

enable ip-security dhcp-snooping vlan Default port 1:57 violation-action none
enable ip-security dhcp-snooping vlan GUEST-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan MDM-INET port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL2 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL3 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL5 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL6 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL7 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VL8 port 1:57 violation-action none
enable ip-security dhcp-snooping vlan VOICE port 1:57 violation-action none
configure trusted-ports 1:57 trust-for dhcp-server

(Pretty sure I only need it on the parent uplink port of this lag)

Load Sharing Monitor
Config    Current Agg     Min    Ld Share        Ld Share  Agg Link  Link Up
Master    Master  Control Active Algorithm Flags Group     Mbr State Transitions
================================================================================
  1:57   1:57     LACP       1    L3_L4     A     1:57      Y     A       1
                                  L3_L4           2:57      Y     A       1
                                  L3_L4           4:57      Y     A       1
                                  L3_L4           5:57      Y     A       1
================================================================================

sh ip-security dhcp-snooping vlan VL7
DHCP Snooping enabled on ports: 4:25, 1:57
Trusted Ports: 1:57
Trusted DHCP Servers: None
Bindings Restoration     : Enabled
Bindings Filename        : 1600md-access-c.xsf
Bindings File Location   :
         Primary Server  : 10.1.0.4, TFTP
         Secondary Server: None
Bindings Write Interval  : 30 minutes
Bindings last uploaded at: Fri Mar 19 09:28:57 2021

------------------------------------
Port            Violation-action
------------------------------------
4:25            drop-packet, snmp-trap
 

sh ip-security dhcp-snooping entries VL7
------------------------------------------------------------------
Vlan: VL7
------------------------------------------------------------------
                                    Lease Time    Server    Client
IP Addr         MAC Addr            (hh:mm:ss)    Port      Port
-------         --------            ----------    ------    ------

Total number of entries : 0
 

sh ip-security dhcp-snooping entries VOICE
------------------------------------------------------------------
Vlan: VOICE
------------------------------------------------------------------
                                    Lease Time    Server    Client
IP Addr         MAC Addr            (hh:mm:ss)    Port      Port
-------         --------            ----------    ------    ------

Total number of entries : 0
 

Thanks that worked to remove those trusted servers.

By everything on the core is trusted I mean there is no dhcp snooping going on at all.  The only thing on the core that has anything to do with dhcp is the bootprelay commands taking our vlans and pointing them to our dhcp servers.

Really what I mean about everything trusted at the core is nobody has access to plug anything in there.  Nothing on the core switch ports are patched to a patch panel where a regular person would have access.  To plug into the core they would need to break into the computer room, and that would set off security and also text us that the door was open.

I’ll play with this a bit more.

Yes. You either configure a trusted port or an DHCP-Server per VLAN.

Note that you also have to enable DHCP-snooping. 

More information: How To: How to configure DHCP Snooping on EXOS | Extreme Portal (force.com) 

Not sure if this is the right approach. Afaik you only need to configure the edge switches. (If you meant that all ports on the core are configured as trusted ports)

Can’t test it right know, but I would try 

configure trusted-servers vlan Default delete server 10.1.1.1

or similar.

(That’s the Extreme roulette - you never know if its unconfigure, delete… 🙂