Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

IP Snooping Configuration on Aruba Switches

This thread has been viewed 19 times
  • 1.  IP Snooping Configuration on Aruba Switches

    Posted Oct 09, 2021 09:38 AM
    Dear All
    We have a challenge blocking a rogue DHCP server on the network. I read about IP snooping that will help resolve this issue, however I dont know the switch on which to configure snooping. The reason being that we have over 50 switches with different vlans.

    The legitimate DHCP server is on vlan 84.  
    Please how will I be able to stop any rogue DHCP server plugged into any of the multiple vlans on the network.

    Thanks. 
    Regards
    Danny
    --
    Stay Blessed
    WhatsApp:+233505093050
    +233559449484
    Skype: dkawayevu


  • 2.  RE: IP Snooping Configuration on Aruba Switches

    Posted Oct 11, 2021 02:59 AM

    Hello Danny,

    Please search for configuraration guides for your network switches or platform (like Aruba OS AOS or Aruba CX AOS-CX).

    Your desired function is DHCP Snooping.

    In General (if you do not use Aruba Central) you have to configure trusted Ports in a first step, where you are expecting to receive DHCP offers.
    Then you enable dhcp on a per vlan basis and/or in general. I'm not sure in case of the different Aruba products.
    Edit: on Aruba CX it has to be enabled globally AND per vlan. I do not se an option to enable it for all configured vlans...

    For Aruba CX I found this: AOS-CX 10.06 IP Services Guide 6300, 6400 Switch Series - DHCP snooping (arubanetworks.com)

    Or a community entry: How To Configure DHCP Snooping (arubanetworks.com)

    In this thread someone says configuring an explicit trusterd (authorized) dhcp server IP can make trouble, so please do not use it: DHCP Snooping - Why would I want to protect all the configured VLANs | Wired Intelligent Edge (arubanetworks.com)



    ------------------------------
    Robert Großmann
    ------------------------------



  • 3.  RE: IP Snooping Configuration on Aruba Switches

    Posted Oct 12, 2021 04:20 AM
    Hello, for aruba CX :

    1) Enable dhcp snooping globally :
    dhcpv4-snooping

    2) Enable dhcp snooping on each vlan : 
    vlan 1
    dhcpv4-snooping
    vlan 2
    dhcpv4-snooping
    ....

    3) Trust your DHCP server ports AND uplinks ports :
    interface 1/1/X 
      dhcpv4-snooping trust

    Then you can control dhcp snooping config with :
    show dhcpv4-snooping statistics
    show dhcpv4-snooping binding
    ​​

    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------



  • 4.  RE: IP Snooping Configuration on Aruba Switches

    Posted Oct 13, 2021 09:36 AM
    Hello Team,
    Thanks for the excellent feedback 
    I will try these and get back. 
    Cheers






  • 5.  RE: IP Snooping Configuration on Aruba Switches

    Posted Oct 13, 2021 10:08 AM

    Hi Danny,

    I guess it would be a good start with only one Switch, for example the Switch you are connected to.

    And I guess it would be only necessary to configure dhcp-snooping or dhcpv4-snooping on the client access-layer switches only.

    If you do not encounter any problems with dhcp-snooping, you can think of implementing arp-protection (AOS-S) or arp inspection (AOS-CX) as an additional protection tool. It prevents hosts without an DHCP IP IP from accessing the network. So be careful. If you're using manual configured IPs on clients then do not use it. And no not use it on server access switches^^

    AOS-S:
    conf t
    arp-protect trust Trk1
    arp-protect vlan 998
    arp-protect
    end
    !
    sh arp-protect
    sh arp-protect statistics 998
    !

    AOS-CX:
    interface lag 200
       arp inspection trust
       exit
    ! Attention, with configuring vlans arp-inspection will be active !
    vlan 998
      arp inspection
      exit
    !
    sh arp inspection ?
    sh arp inspection statistics vlan



    ------------------------------
    Robert Großmann
    ------------------------------