HPE Community
Aruba & ProVision-based
1753774 Members
7171 Online
108799 Solutions
New Discussion

HP Procurve 2920 ARP-PROTECT Issue

 
Mondher
Occasional Contributor

‎07-07-2017 03:06 AM

‎07-07-2017 03:06 AM

HP Procurve 2920 ARP-PROTECT Issue

 

Hi All,

I am new to HP  switches, we have just bought 5 HP  Sws. now i work only on RDC switch cose when i activate arp-protect the network get down.
 I've an issue in configuring ARP-PROTECT and DHCP-snooping . When I enable those features the network gets down or i continue sniff traffic  and see all (i'm using Cain to sniff traffic) .

 

***RDC Access Switch config*****

J9782A Configuration Editor; Created on release #YB.15.17.0008
; Ver #07:c3.84.9c.63.ff.37.27:50
hostname "ACCESS_RC"
console idle-timeout 600
dhcp-snooping
dhcp-snooping authorized-server 192.168.10.120
dhcp-snooping authorized-server 192.168.10.130
dhcp-snooping authorized-server 192.168.10.150
dhcp-snooping authorized-server 192.168.10.160
dhcp-snooping vlan 1 10 20 30 100 254 300
logging 192.168.10.250
timesync sntp
sntp unicast
sntp 60
sntp server priority 1 192.168.10.251
no stack
no telnet-server
time daylight-time-rule user-defined begin-date 04/01 end-date 10/01
no web-management
web-management ssl
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.10.0 255.255.255.0 access manager
ip default-gateway 192.168.254.254
ip ssh filetransfer
interface 25
dhcp-snooping trust
arp-protect trust
exit
snmp-server community "public"
snmp-server community "*******************"
snmp-server host 192.168.10.125 community "****************" trap-level all
snmp-server host 192.168.10.59 community "public" trap-level all
snmp-server host 192.168.10.60 community "***********" trap-level all
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "initial"
snmpv3 user "initialsha"
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
 untagged 26-28
tagged 25
no ip address
exit
vlan 10
name "User_Standard"
tagged 25
no ip address
exit
vlan 20
name "User_Direction"
untagged 2-22,24
tagged 25
no ip address
exit
vlan 30
name "User_IT"
tagged 25
no ip address
exit
vlan 100
name "Serveurs"
untagged 23
tagged 25
no ip address
exit
vlan 254
name "Management"
untagged 1
tagged 25
ip address 192.168.254.100 255.255.255.0
exit
vlan 300
name "Guest_Wlan"
tagged 25
no ip address
exit
spanning-tree
spanning-tree 1 bpdu-protection
spanning-tree 2 bpdu-protection
spanning-tree 3 bpdu-protection
spanning-tree 4 bpdu-protection
spanning-tree 5 bpdu-protection
spanning-tree 6 bpdu-protection
spanning-tree 7 bpdu-protection
spanning-tree 8 bpdu-protection
spanning-tree 9 bpdu-protection
spanning-tree 10 bpdu-protection
spanning-tree 11 bpdu-protection
spanning-tree 12 bpdu-protection
spanning-tree 13 bpdu-protection
spanning-tree 14 bpdu-protection
spanning-tree 15 bpdu-protection
spanning-tree 16 bpdu-protection
spanning-tree 17 bpdu-protection
spanning-tree 18 bpdu-protection
spanning-tree 19 bpdu-protection
spanning-tree 20 bpdu-protection
spanning-tree 21 bpdu-protection
spanning-tree 22 bpdu-protection
spanning-tree 23 bpdu-protection
spanning-tree 24 bpdu-protection
spanning-tree 26 bpdu-protection
spanning-tree 27 bpdu-protection
spanning-tree 28 bpdu-protection
spanning-tree force-version rstp-operation
no tftp client
no tftp server
arp-protect
arp-protect vlan 1 10 20 30 100 300
no dhcp config-file-update
no dhcp image-file-update

password manager
password operator

 

***DHCP Snooping Information****

DHCP Snooping : Yes
Enabled VLANs : 1 10 20 30 100 254 300 (all vlans)
Verify MAC address : Yes
Option 82 untrusted policy : drop
Option 82 insertion : Yes
Option 82 remote-id : mac
Store lease database : Not configured

Authorized Servers
------------------
192.168.10.120
192.168.10.130
192.168.10.150
192.168.10.160

Max Current Bindings
Port Trust Bindings Static Dynamic
----- ----- -------- ----------------
25 Yes - - -

Ports 1-24,26-28 are untrusted



**ARP Protection Information**

ARP Protection Enabled : Yes
Protected Vlans : 1 10 20 30 100 300 (all vlans)
Validate :

Port Trust
----- -----
25 Yes

Ports 1-24,26-28 are untrusted

 

 

**** Federateur switch configs *** les sw federateurs sont deux HP 2920

hpStack_WB Configuration Editor; Created on release #WB.15.18.0006

stacking
member 1 type "J9726A" mac-address ************
member 2 type "J9726A" mac-address ************
exit
hostname "SW_Federateur"
console idle-timeout 3600
dhcp-snooping
dhcp-snooping authorized-server 192.168.10.120
dhcp-snooping authorized-server 192.168.10.130
dhcp-snooping authorized-server 192.168.10.150
dhcp-snooping authorized-server 192.168.10.160
dhcp-snooping vlan 1 10 20 30 100 300
trunk 1/24,2/24 trk1 lacp
trunk 1/23,2/23 trk2 lacp
trunk 1/15,1/17 trk3 lacp
logging 192.168.10.250
timesync sntp
sntp unicast
sntp 60
sntp server priority 1 192.168.10.251
no telnet-server
no web-management
web-management ssl
ip access-list extended "111"
10 deny icmp 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 8
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.10.0 255.255.255.0 access manager
ip default-gateway 192.168.10.199
ip ssh filetransfer
ip route 0.0.0.0 0.0.0.0 192.168.10.199
ip routing
interface 1/21
dhcp-snooping trust
arp-protect trust
exit
snmp-server community "*************"
snmp-server host 192.168.10.125 community "********************" trap-level all
snmp-server host 192.168.10.60 community "************" trap-level all
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "initial"
snmpv3 user "initialsha"
oobm
ip address dhcp-bootp
member 1
ip address dhcp-bootp
exit
member 2
ip address dhcp-bootp
exit
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk3
untagged 1/A1-1/A2,1/B1-1/B2,2/A1-2/A2,2/B1-2/B2
tagged 1/21,Trk1-Trk2
no ip address
exit
vlan 10
name "User_Standard"
tagged 1/21,Trk1-Trk2
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 20
name "User_Direction"
untagged 2/11
tagged 1/21,Trk1-Trk2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 30
name "User_IT"
tagged 1/21,Trk1-Trk2
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 55
name "BCT"
tagged 1/19
ip address 10.2.55.1 255.255.255.0
exit
vlan 100
name "Serveurs"
untagged 1/2-1/14,1/16,1/18,1/22,2/1-2/10,2/12-2/18,2/21-2/22,Trk3
tagged 1/21,Trk1-Trk2
ip address 192.168.10.200 255.255.255.0
exit
vlan 110
name "Live_Migration"
untagged 1/19-1/20
no ip address
exit
vlan 120
name "Pulsation"
untagged 2/19-2/20
no ip address
exit
vlan 251
name "DMZ1"
no ip address
exit
vlan 252
name "DMZ2"
no ip address
exit
vlan 254
name "Management"
untagged 1/1
tagged 1/21,Trk1-Trk2
ip address 192.168.254.254 255.255.255.0
exit
vlan 255
name "Vlan_Routage"
ip address 192.168.255.1 255.255.255.0
exit
vlan 300
name "Guest_Wlan"
tagged 1/21,Trk1-Trk2
no ip address
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
no tftp client
no tftp server
arp-protect
arp-protect validate dest-mac
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
dhcp-relay
dhcp-server
dhcp-snooping


*****DHCP Snooping Information*****

DHCP Snooping : Yes
Enabled VLANs :  (All vlans)

Verify MAC address : Yes
Option 82 untrusted policy : drop
Option 82 insertion : Yes
Option 82 remote-id : mac
Store lease database : Not configured

Authorized Servers
------------------
192.168.10.120
192.168.10.130
192.168.10.150
192.168.10.160

Max Current Bindings
Port Trust Bindings Static Dynamic
----- ----- -------- ----------------
Ports 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk1-Trk3 are untrusted


*****ARP Protection Information********

ARP Protection Enabled : Yes
Protected Vlans : All vlans
Validate : dest-mac

Port Trust
----- -----
1/21 Yes

Ports 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk1-Trk3 are untrusted

 

 

Thanks

Best Regards 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.