cancel
Showing results for 
Search instead for 
Did you mean: 

ARP Validation with dynamically assigned VLANs

ARP Validation with dynamically assigned VLANs

Michael_Eisensc
New Contributor II

Hello Community,

I was wondering about the appropriate way to configure ARP Validation in an Extreme Access Control Environment with dynamically assigned VLANs.

From what I have found so far, you have to configure ARP Validation per vlan and port. This is not possible if the vlan, which should later be dynamically assigned to the port, is not statically configured on the port:

* EXOS-VM.2 # enable ip-security dhcp-snooping vlan red ports 1 violation-action drop-packet block-mac duration 300 snmp-trap

ERROR: Port 1 does not belong to vlan red.

* EXOS-VM.4 # enable ip-security arp validation vlan red ports 1 violation-action drop-packet snmp-trap

ERROR: Port 1 does not belong to vlan red.

I have seen that in XOS 30.2 a Dynamic VLAN and VLAN ID option has been added. I assume this option is only for VLANs created in a Fabric Connect environment and not for dynamically assigned VLANs based on an Authentication. Is my assumption correct?

I know that IP-Security Features apply after the Authentication takes place. What I would not want to do is an implementation with a port macro - if this is even possible.

Could someone please help me?

Kind regards

Michael

1 ACCEPTED SOLUTION

Pullin1458
New Contributor

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

View solution in original post

3 REPLIES 3

Pullin1458
New Contributor

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

 

Pullin1458
New Contributor

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.

jeronimo
Contributor III

I'd be interested to know this too.

GTM-P2G8KFN