This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ARP Validation with dynamically assigned VLANs

ARP Validation with dynamically assigned VLANs

Go to solution
Michael_Eisensc
New Contributor II

‎11-19-2019 01:02 PM

Hello Community,

I was wondering about the appropriate way to configure ARP Validation in an Extreme Access Control Environment with dynamically assigned VLANs.

From what I have found so far, you have to configure ARP Validation per vlan and port. This is not possible if the vlan, which should later be dynamically assigned to the port, is not statically configured on the port:

* EXOS-VM.2 # enable ip-security dhcp-snooping vlan red ports 1 violation-action drop-packet block-mac duration 300 snmp-trap

ERROR: Port 1 does not belong to vlan red.

* EXOS-VM.4 # enable ip-security arp validation vlan red ports 1 violation-action drop-packet snmp-trap

ERROR: Port 1 does not belong to vlan red.

I have seen that in XOS 30.2 a Dynamic VLAN and VLAN ID option has been added. I assume this option is only for VLANs created in a Fabric Connect environment and not for dynamically assigned VLANs based on an Authentication. Is my assumption correct?

I know that IP-Security Features apply after the Authentication takes place. What I would not want to do is an implementation with a port macro - if this is even possible.

Could someone please help me?

Kind regards

Michael

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Pullin1458
New Contributor

‎05-13-2021 06:08 AM

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Pullin1458
New Contributor

‎05-14-2021 07:19 AM

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

 

0 Kudos

Go to solution
Pullin1458
New Contributor

‎05-13-2021 06:08 AM

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

0 Kudos

Go to solution
jeronimo
Contributor III

‎05-05-2021 03:21 PM

I'd be interested to know this too.

0 Kudos
GTM-P2G8KFN