• September 22, 2018, 03:41:46 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Nortel/Avaya DHCP Snooping limitation? (Multiple IP per MAC)  (Read 1140 times)

0 Members and 1 Guest are viewing this topic.

Offline gryd3

  • Rookie
  • **
  • Posts: 3
Nortel/Avaya DHCP Snooping limitation? (Multiple IP per MAC)
« on: December 31, 2016, 03:18:21 PM »
I've been reading various sources to learn the ins and outs of DAI, ARP inspection and IPSG including the  blog entry on michaelfmcnamara.com
'dhcp-snooping-arp-inspection-ip-source-guard'

I am currently attempting this change on a 5520-48T-PWR running 6.0.0.18 and have succeeded for the most part, but hit a snag.
I'm modifying an existing installation, so I've been manually entering DHCP binding information for various hosts :
ip dhcp-snooping binding 1000 <Device MAC> ip <Address> port 28

The problem I am having is that I've come across one machine in particular that has multiple IP addresses statically assigned to it, and I'm unsure how I can proceed. The machine in question is a 'customer' machine and all of the IP addresses are assigned to the same NIC. I cannot access this machine to make any alterations.
I cannot create more than one entry per MAC address in the CLI or EDM, and am hoping someone here can point me in the right direction to find a work-around or solution that will allow me to use DAI and IPSG on a port that is connected to a single machine with over 15 IP addresses.
(I would happily settle to get Dynamic ARP Inspection without IPSG on this particular machine)
« Last Edit: December 31, 2016, 05:16:34 PM by gryd3 »


Offline gryd3

  • Rookie
  • **
  • Posts: 3
Re: Nortel/Avaya DHCP Snooping limitation? (Multiple IP per MAC)
« Reply #1 on: January 07, 2017, 02:11:08 AM »
I feel a little better about myself knowing someone didn't pop in right away with an answer xD

The goal I have in setting this up, is to prevent users from arbitrarily grabbing/using IP addresses that I have not assigned or authorised.
If there is another option that I can deploy with the Nortel/Avaya switched I would love to hear it.
Also curious on other solutions people have employed

Offline TankII

  • Hero Member
  • *****
  • Posts: 542
Re: Nortel/Avaya DHCP Snooping limitation? (Multiple IP per MAC)
« Reply #2 on: January 11, 2017, 05:07:27 PM »
If you configure your DHCP server correctly, it will check for used IP addresses first and prevent a duplicate.  In Windows server 2008, it is NOT on by default.
Infoblox and other solutions have this enabled by default.

Offline gryd3

  • Rookie
  • **
  • Posts: 3
Re: Nortel/Avaya DHCP Snooping limitation? (Multiple IP per MAC)
« Reply #3 on: January 12, 2017, 01:33:43 PM »
If you configure your DHCP server correctly, it will check for used IP addresses first and prevent a duplicate.  In Windows server 2008, it is NOT on by default.
Infoblox and other solutions have this enabled by default.
Thank you for the tip for Infoblox, I'll take a look.
I'm certain that the IP Source Guard, Dynamic Arp Inspection, and DHCP Snooping is all I need for most of my servers, but the issue I have come across is a machine that has numerous IP addresses statically assigned to itself.
In other situations, I can manually enter a MAC & IP address pair in the DHCP Snooping lease table... but my issue is that I can only enter a single IP address for any given MAC address :s

So... the question is, how do I use these technologies but allow servers to use more than one IP address on a single Network Interface?