XGS3700 - problem with IP Source Guard
Ally Member
I have 3 XGS3700 switches in a stack running v4.30 firmware. I had the need to setup IP Source Guard to perform DHCP Snooping to eliminate the possibility of unauthorized DHCP servers on the network.
I have 8 vlans configured on the XGS3700. A USG1100 to provides DHCP services to each vlan (thru separately defined DHCP servers).
After configuring DHCP Snooping, setting up a tftp server, trusting the switch ports which have authorized DHCP servers connected to them, and enabling each of the 8 vlans for DHCP Snooping everything seems to work except there are no entries in the IP Source Guard table of IPs and corresponding MAC Addresses.
I have tried to view the table thru the web UI and thru the CLI. There are also no entries the the DHCP Snooping "database" on the tftp server.
Client devices can get IP addresses from the DHCP servers. If I set the ports to Untrusted the client devices cannot get IP addresses. However nothing I have tried puts entries in the DHCP table other than static binding entries.
What am I doing wrong?
Accepted Solution
-
Hi @imaohw
Glad to hear the good news!!
It seems like the management interface is still reachable when the issue happen
Therefore, If the issue reappears, please download the tech support and PM me for further investigation.
Thanks
Zyxel_Derrick5
Zyxel Employee
All Replies
-
Hi @imaohw
Please try to enable arp inspection at the same time and then you will see the binding table appear.
To enable the arp inspection, remember to set the trust port same as DHCP snooping and enable the 8 vlans you have.
If there is any other question, please let us know
Thanks
Zyxel_Derrick
0 -
@Zyxel_Derrick - If I enable arp inspection and the binding table is not fully built (some of my subnets have long DHCP lease times) don't I risk blocking arp packets?
I had hoped to review the binding table created by DHCP Snooping before enabling arp inspection.
Is the xgs3700 supposed to display the binding table without enabling arp inspection? Is this a bug?
0 -
Hi @imaohw
Sorry for my mistake
I would like to clarify the issue is that after configuring DHCP snooping and enabling vlans, you can't see the table below, am I right?
If yes, may I know what FW version you use? (4.30 patch 2 or ?)
Also, could you PM me your config?
Therefore, we can have a better understanding to the problem you have encountered.
Thanks
Zyxel_Derrick
0 -
@Zyxel_Derrick - In looking into the issue further I noticed that the date/time on the XGS3700 was wrong. For some reason the switch could no longer reach the configured NTP server.
Using Diagnostic menu option I tried to ping the NTP server and that didn't work. Next I tried to ping the USG1100 which acts as the gateway and that didn't work. In fact the XGS3700 could no longer ping any devices on the lan or wan.
Devices connected to the XGS3700 were still passing traffic and they could ping other devices on the lan and wan.
Fortunately it was late at night so I decided to reboot the XGS3700. That fixed the ping and time issue. In addition, the IP Source Guard binding table started to populate.
I'm not sure what was wrong. I am running firmware V4.30(AAGC.2). I will monitor and report back if the issue reappears.
0 -
Hi @imaohw
Glad to hear the good news!!
It seems like the management interface is still reachable when the issue happen
Therefore, If the issue reappears, please download the tech support and PM me for further investigation.
Thanks
Zyxel_Derrick5
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
