XGS3700 - problem with IP Source Guard

imaohwimaohw Member Posts: 66  Ally Member

I have 3 XGS3700 switches in a stack running v4.30 firmware. I had the need to setup IP Source Guard to perform DHCP Snooping to eliminate the possibility of unauthorized DHCP servers on the network.

I have 8 vlans configured on the XGS3700. A USG1100 to provides DHCP services to each vlan (thru separately defined DHCP servers).

After configuring DHCP Snooping, setting up a tftp server, trusting the switch ports which have authorized DHCP servers connected to them, and enabling each of the 8 vlans for DHCP Snooping everything seems to work except there are no entries in the IP Source Guard table of IPs and corresponding MAC Addresses.

I have tried to view the table thru the web UI and thru the CLI. There are also no entries the the DHCP Snooping "database" on the tftp server.

Client devices can get IP addresses from the DHCP servers. If I set the ports to Untrusted the client devices cannot get IP addresses. However nothing I have tried puts entries in the DHCP table other than static binding entries.

What am I doing wrong?

Accepted Solution

All Replies

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 52  mod

    Hi @imaohw


    Please try to enable arp inspection at the same time and then you will see the binding table appear.

    To enable the arp inspection, remember to set the trust port same as DHCP snooping and enable the 8 vlans you have.

    If there is any other question, please let us know

    Thanks


    Zyxel_Derrick

  • imaohwimaohw Member Posts: 66  Ally Member
    edited December 10, 2019 8:44AM

    @Zyxel_Derrick - If I enable arp inspection and the binding table is not fully built (some of my subnets have long DHCP lease times) don't I risk blocking arp packets?

    I had hoped to review the binding table created by DHCP Snooping before enabling arp inspection.

    Is the xgs3700 supposed to display the binding table without enabling arp inspection? Is this a bug?

  • Zyxel_DerrickZyxel_Derrick Zyxel Official Agent Posts: 52  mod

    Hi @imaohw


    Sorry for my mistake

    I would like to clarify the issue is that after configuring DHCP snooping and enabling vlans, you can't see the table below, am I right?


    If yes, may I know what FW version you use? (4.30 patch 2 or ?)

    Also, could you PM me your config?

    Therefore, we can have a better understanding to the problem you have encountered.

    Thanks


    Zyxel_Derrick

  • imaohwimaohw Member Posts: 66  Ally Member

    @Zyxel_Derrick - In looking into the issue further I noticed that the date/time on the XGS3700 was wrong. For some reason the switch could no longer reach the configured NTP server.

    Using Diagnostic menu option I tried to ping the NTP server and that didn't work. Next I tried to ping the USG1100 which acts as the gateway and that didn't work. In fact the XGS3700 could no longer ping any devices on the lan or wan.

    Devices connected to the XGS3700 were still passing traffic and they could ping other devices on the lan and wan.

    Fortunately it was late at night so I decided to reboot the XGS3700. That fixed the ping and time issue. In addition, the IP Source Guard binding table started to populate.

    I'm not sure what was wrong. I am running firmware V4.30(AAGC.2). I will monitor and report back if the issue reappears.

Sign In to comment.