Network Management

Hi, 

i am tasked to implement DHCP Snooping and Dynamic ARP Protection and this is my first time to do such in an aruba 2930 switch.

i have read that this could cause network disconnections if done wrongly.  

asking for expert advise from anyone who can provide some points to consider in implementing this?

i have a firewall that connects to the Aruba 2930 Switch and Aruba 510 APs are connected into specific ports on the switch.

the Firewall serves as the dhcp server and the switch is just using default vlan.

clients connect via lan and wireless.

Thank you in advance.

Enable DHCP snooping globally and on user VLAN. Make the uplink port trusted for DHCP snooping and ARP Inspection.
Based on the DHCP Snooping, the switch will learn the client MAC and client IP.
The ARP inspection feature relies on the IP Binding database to verify the ARP packets.
Ensure that DHCP Snooping configuration must be enabled on the same VLAN as the ARP Inspection.

------------------------------
Kapildev Erampu
Systems Engineer, ACEX#94
Aruba, a Hewlett Packard Enterprise company
Any opinions expressed here are solely my own and not necessarily that of HPE
------------------------------

Original Message:
Sent: Feb 19, 2024 10:15 PM
From: jtescanuela
Subject: implementing DHCP Snooping and Dynamic ARP Protection in Aruba 2930F switch

Hi, 

i am tasked to implement DHCP Snooping and Dynamic ARP Protection and this is my first time to do such in an aruba 2930 switch.

i have read that this could cause network disconnections if done wrongly.  

asking for expert advise from anyone who can provide some points to consider in implementing this?

i have a firewall that connects to the Aruba 2930 Switch and Aruba 510 APs are connected into specific ports on the switch.

the Firewall serves as the dhcp server and the switch is just using default vlan.

clients connect via lan and wireless.

Thank you in advance.

Hi  Kapildev,

thank you for the advice.

below is the current dhcp-snooping configuration in place: 

=============================================

dhcp-snooping
dhcp-snooping authorized-server 10.xx.xx.1
dhcp-snooping vlan 1 
interface 1/2
   name "Link-to_AP"
   exit
interface 1/4
   name "Link-to-AP"
   exit
interface 1/6
   dhcp-snooping trust
   name "Link-to-Firewall"
   exit

=============================================
commands i thought of implementing:

arp-protect
arp-protect vlan 1 
arp-protect trust ethernet 1/6

=============================================  

is there a need to trust the link going to the APs for both dhcp-snooping and arp-protect?

is there anything else missing that i need to input?

how can i check the IP Binding Database? what is the command to use?

Thank you in advance.

Jeremy

Original Message:
Sent: Feb 20, 2024 05:44 AM
From: Kapildev Erampu
Subject: implementing DHCP Snooping and Dynamic ARP Protection in Aruba 2930F switch

Enable DHCP snooping globally and on user VLAN. Make the uplink port trusted for DHCP snooping and ARP Inspection.
Based on the DHCP Snooping, the switch will learn the client MAC and client IP.
The ARP inspection feature relies on the IP Binding database to verify the ARP packets.
Ensure that DHCP Snooping configuration must be enabled on the same VLAN as the ARP Inspection.

------------------------------
Kapildev Erampu
Systems Engineer, ACEX#94
Aruba, a Hewlett Packard Enterprise company
Any opinions expressed here are solely my own and not necessarily that of HPE

Original Message:
Sent: Feb 19, 2024 10:15 PM
From: jtescanuela
Subject: implementing DHCP Snooping and Dynamic ARP Protection in Aruba 2930F switch

Hi, 

i am tasked to implement DHCP Snooping and Dynamic ARP Protection and this is my first time to do such in an aruba 2930 switch.

i have read that this could cause network disconnections if done wrongly.  

asking for expert advise from anyone who can provide some points to consider in implementing this?

i have a firewall that connects to the Aruba 2930 Switch and Aruba 510 APs are connected into specific ports on the switch.

the Firewall serves as the dhcp server and the switch is just using default vlan.

clients connect via lan and wireless.

Thank you in advance.