Hi Danny,
I guess it would be a good start with only one Switch, for example the Switch you are connected to.
And I guess it would be only necessary to configure dhcp-snooping or dhcpv4-snooping on the client access-layer switches only.
If you do not encounter any problems with dhcp-snooping, you can think of implementing arp-protection (AOS-S) or arp inspection (AOS-CX) as an additional protection tool. It prevents hosts without an DHCP IP IP from accessing the network. So be careful. If you're using manual configured IPs on clients then do not use it. And no not use it on server access switches^^
AOS-S:
conf t
arp-protect trust Trk1
arp-protect vlan 998
arp-protect
end
!
sh arp-protect
sh arp-protect statistics 998
!
AOS-CX:
interface lag 200
arp inspection trust
exit
! Attention, with configuring vlans arp-inspection will be active !
vlan 998
arp inspection
exit
!
sh arp inspection ?
sh arp inspection statistics vlan
------------------------------
Robert Großmann
------------------------------
Original Message:
Sent: Oct 13, 2021 09:36 AM
From: Daniel Awayevu
Subject: IP Snooping Configuration on Aruba Switches
Hello Team,
Thanks for the excellent feedback
I will try these and get back.
Cheers
Original Message:
Sent: 10/12/2021 4:20:00 AM
From: Whitehawk29FR
Subject: RE: IP Snooping Configuration on Aruba Switches
Hello, for aruba CX :
1) Enable dhcp snooping globally :
dhcpv4-snooping
2) Enable dhcp snooping on each vlan :
vlan 1
dhcpv4-snooping
vlan 2
dhcpv4-snooping
....
3) Trust your DHCP server ports AND uplinks ports :
interface 1/1/X
dhcpv4-snooping trust
Then you can control dhcp snooping config with :
show dhcpv4-snooping statistics
show dhcpv4-snooping binding
------------------------------
Laurent from Brest / France
Network Engineer
Original Message:
Sent: Oct 09, 2021 09:37 AM
From: Daniel Awayevu
Subject: IP Snooping Configuration on Aruba Switches
Dear All
We have a challenge blocking a rogue DHCP server on the network. I read about IP snooping that will help resolve this issue, however I dont know the switch on which to configure snooping. The reason being that we have over 50 switches with different vlans.
The legitimate DHCP server is on vlan 84.
Please how will I be able to stop any rogue DHCP server plugged into any of the multiple vlans on the network.
Thanks.
Regards
Danny
--
Stay Blessed
WhatsApp:+233505093050
+233559449484
Skype: dkawayevu