XGS3700 - problem with IP Source Guard

imaohw
imaohw Posts: 123  Ally Member
First Anniversary 10 Comments Friend Collector First Answer
edited August 2022 in Switch

I have 3 XGS3700 switches in a stack running v4.30 firmware. I had the need to setup IP Source Guard to perform DHCP Snooping to eliminate the possibility of unauthorized DHCP servers on the network.

I have 8 vlans configured on the XGS3700. A USG1100 to provides DHCP services to each vlan (thru separately defined DHCP servers).

After configuring DHCP Snooping, setting up a tftp server, trusting the switch ports which have authorized DHCP servers connected to them, and enabling each of the 8 vlans for DHCP Snooping everything seems to work except there are no entries in the IP Source Guard table of IPs and corresponding MAC Addresses.

I have tried to view the table thru the web UI and thru the CLI. There are also no entries the the DHCP Snooping "database" on the tftp server.

Client devices can get IP addresses from the DHCP servers. If I set the ports to Untrusted the client devices cannot get IP addresses. However nothing I have tried puts entries in the DHCP table other than static binding entries.

What am I doing wrong?

Accepted Solution

All Replies

  • Zyxel_Derrick
    Zyxel_Derrick Posts: 126  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @imaohw


    Please try to enable arp inspection at the same time and then you will see the binding table appear.

    To enable the arp inspection, remember to set the trust port same as DHCP snooping and enable the 8 vlans you have.

    If there is any other question, please let us know

    Thanks


    Zyxel_Derrick

  • imaohw
    imaohw Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2019

    @Zyxel_Derrick - If I enable arp inspection and the binding table is not fully built (some of my subnets have long DHCP lease times) don't I risk blocking arp packets?

    I had hoped to review the binding table created by DHCP Snooping before enabling arp inspection.

    Is the xgs3700 supposed to display the binding table without enabling arp inspection? Is this a bug?

  • Zyxel_Derrick
    Zyxel_Derrick Posts: 126  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @imaohw


    Sorry for my mistake

    I would like to clarify the issue is that after configuring DHCP snooping and enabling vlans, you can't see the table below, am I right?


    If yes, may I know what FW version you use? (4.30 patch 2 or ?)

    Also, could you PM me your config?

    Therefore, we can have a better understanding to the problem you have encountered.

    Thanks


    Zyxel_Derrick

  • imaohw
    imaohw Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    @Zyxel_Derrick - In looking into the issue further I noticed that the date/time on the XGS3700 was wrong. For some reason the switch could no longer reach the configured NTP server.

    Using Diagnostic menu option I tried to ping the NTP server and that didn't work. Next I tried to ping the USG1100 which acts as the gateway and that didn't work. In fact the XGS3700 could no longer ping any devices on the lan or wan.

    Devices connected to the XGS3700 were still passing traffic and they could ping other devices on the lan and wan.

    Fortunately it was late at night so I decided to reboot the XGS3700. That fixed the ping and time issue. In addition, the IP Source Guard binding table started to populate.

    I'm not sure what was wrong. I am running firmware V4.30(AAGC.2). I will monitor and report back if the issue reappears.