Hi All,
I am new to HP switches, we have just bought 5 HP Sws. now i work only on RDC switch cose when i activate arp-protect the network get down.
I've an issue in configuring ARP-PROTECT and DHCP-snooping . When I enable those features the network gets down or i continue sniff traffic and see all (i'm using Cain to sniff traffic) .
***RDC Access Switch config*****
J9782A Configuration Editor; Created on release #YB.15.17.0008
; Ver #07:c3.84.9c.63.ff.37.27:50
hostname "ACCESS_RC"
console idle-timeout 600
dhcp-snooping
dhcp-snooping authorized-server 192.168.10.120
dhcp-snooping authorized-server 192.168.10.130
dhcp-snooping authorized-server 192.168.10.150
dhcp-snooping authorized-server 192.168.10.160
dhcp-snooping vlan 1 10 20 30 100 254 300
logging 192.168.10.250
timesync sntp
sntp unicast
sntp 60
sntp server priority 1 192.168.10.251
no stack
no telnet-server
time daylight-time-rule user-defined begin-date 04/01 end-date 10/01
no web-management
web-management ssl
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.10.0 255.255.255.0 access manager
ip default-gateway 192.168.254.254
ip ssh filetransfer
interface 25
dhcp-snooping trust
arp-protect trust
exit
snmp-server community "public"
snmp-server community "*******************"
snmp-server host 192.168.10.125 community "****************" trap-level all
snmp-server host 192.168.10.59 community "public" trap-level all
snmp-server host 192.168.10.60 community "***********" trap-level all
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "initial"
snmpv3 user "initialsha"
vlan 1
name "DEFAULT_VLAN"
no untagged 1-24
untagged 26-28
tagged 25
no ip address
exit
vlan 10
name "User_Standard"
tagged 25
no ip address
exit
vlan 20
name "User_Direction"
untagged 2-22,24
tagged 25
no ip address
exit
vlan 30
name "User_IT"
tagged 25
no ip address
exit
vlan 100
name "Serveurs"
untagged 23
tagged 25
no ip address
exit
vlan 254
name "Management"
untagged 1
tagged 25
ip address 192.168.254.100 255.255.255.0
exit
vlan 300
name "Guest_Wlan"
tagged 25
no ip address
exit
spanning-tree
spanning-tree 1 bpdu-protection
spanning-tree 2 bpdu-protection
spanning-tree 3 bpdu-protection
spanning-tree 4 bpdu-protection
spanning-tree 5 bpdu-protection
spanning-tree 6 bpdu-protection
spanning-tree 7 bpdu-protection
spanning-tree 8 bpdu-protection
spanning-tree 9 bpdu-protection
spanning-tree 10 bpdu-protection
spanning-tree 11 bpdu-protection
spanning-tree 12 bpdu-protection
spanning-tree 13 bpdu-protection
spanning-tree 14 bpdu-protection
spanning-tree 15 bpdu-protection
spanning-tree 16 bpdu-protection
spanning-tree 17 bpdu-protection
spanning-tree 18 bpdu-protection
spanning-tree 19 bpdu-protection
spanning-tree 20 bpdu-protection
spanning-tree 21 bpdu-protection
spanning-tree 22 bpdu-protection
spanning-tree 23 bpdu-protection
spanning-tree 24 bpdu-protection
spanning-tree 26 bpdu-protection
spanning-tree 27 bpdu-protection
spanning-tree 28 bpdu-protection
spanning-tree force-version rstp-operation
no tftp client
no tftp server
arp-protect
arp-protect vlan 1 10 20 30 100 300
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
***DHCP Snooping Information****
DHCP Snooping : Yes
Enabled VLANs : 1 10 20 30 100 254 300 (all vlans)
Verify MAC address : Yes
Option 82 untrusted policy : drop
Option 82 insertion : Yes
Option 82 remote-id : mac
Store lease database : Not configured
Authorized Servers
------------------
192.168.10.120
192.168.10.130
192.168.10.150
192.168.10.160
Max Current Bindings
Port Trust Bindings Static Dynamic
----- ----- -------- ----------------
25 Yes - - -
Ports 1-24,26-28 are untrusted
**ARP Protection Information**
ARP Protection Enabled : Yes
Protected Vlans : 1 10 20 30 100 300 (all vlans)
Validate :
Port Trust
----- -----
25 Yes
Ports 1-24,26-28 are untrusted
**** Federateur switch configs *** les sw federateurs sont deux HP 2920
hpStack_WB Configuration Editor; Created on release #WB.15.18.0006
stacking
member 1 type "J9726A" mac-address ************
member 2 type "J9726A" mac-address ************
exit
hostname "SW_Federateur"
console idle-timeout 3600
dhcp-snooping
dhcp-snooping authorized-server 192.168.10.120
dhcp-snooping authorized-server 192.168.10.130
dhcp-snooping authorized-server 192.168.10.150
dhcp-snooping authorized-server 192.168.10.160
dhcp-snooping vlan 1 10 20 30 100 300
trunk 1/24,2/24 trk1 lacp
trunk 1/23,2/23 trk2 lacp
trunk 1/15,1/17 trk3 lacp
logging 192.168.10.250
timesync sntp
sntp unicast
sntp 60
sntp server priority 1 192.168.10.251
no telnet-server
no web-management
web-management ssl
ip access-list extended "111"
10 deny icmp 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 8
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.10.0 255.255.255.0 access manager
ip default-gateway 192.168.10.199
ip ssh filetransfer
ip route 0.0.0.0 0.0.0.0 192.168.10.199
ip routing
interface 1/21
dhcp-snooping trust
arp-protect trust
exit
snmp-server community "*************"
snmp-server host 192.168.10.125 community "********************" trap-level all
snmp-server host 192.168.10.60 community "************" trap-level all
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "initial"
snmpv3 user "initialsha"
oobm
ip address dhcp-bootp
member 1
ip address dhcp-bootp
exit
member 2
ip address dhcp-bootp
exit
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk3
untagged 1/A1-1/A2,1/B1-1/B2,2/A1-2/A2,2/B1-2/B2
tagged 1/21,Trk1-Trk2
no ip address
exit
vlan 10
name "User_Standard"
tagged 1/21,Trk1-Trk2
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 20
name "User_Direction"
untagged 2/11
tagged 1/21,Trk1-Trk2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 30
name "User_IT"
tagged 1/21,Trk1-Trk2
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.10.130
ip helper-address 192.168.10.120
ip helper-address 192.168.10.140
exit
vlan 55
name "BCT"
tagged 1/19
ip address 10.2.55.1 255.255.255.0
exit
vlan 100
name "Serveurs"
untagged 1/2-1/14,1/16,1/18,1/22,2/1-2/10,2/12-2/18,2/21-2/22,Trk3
tagged 1/21,Trk1-Trk2
ip address 192.168.10.200 255.255.255.0
exit
vlan 110
name "Live_Migration"
untagged 1/19-1/20
no ip address
exit
vlan 120
name "Pulsation"
untagged 2/19-2/20
no ip address
exit
vlan 251
name "DMZ1"
no ip address
exit
vlan 252
name "DMZ2"
no ip address
exit
vlan 254
name "Management"
untagged 1/1
tagged 1/21,Trk1-Trk2
ip address 192.168.254.254 255.255.255.0
exit
vlan 255
name "Vlan_Routage"
ip address 192.168.255.1 255.255.255.0
exit
vlan 300
name "Guest_Wlan"
tagged 1/21,Trk1-Trk2
no ip address
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
no tftp client
no tftp server
arp-protect
arp-protect validate dest-mac
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
dhcp-relay
dhcp-server
dhcp-snooping
*****DHCP Snooping Information*****
DHCP Snooping : Yes
Enabled VLANs : (All vlans)
Verify MAC address : Yes
Option 82 untrusted policy : drop
Option 82 insertion : Yes
Option 82 remote-id : mac
Store lease database : Not configured
Authorized Servers
------------------
192.168.10.120
192.168.10.130
192.168.10.150
192.168.10.160
Max Current Bindings
Port Trust Bindings Static Dynamic
----- ----- -------- ----------------
Ports 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk1-Trk3 are untrusted
*****ARP Protection Information********
ARP Protection Enabled : Yes
Protected Vlans : All vlans
Validate : dest-mac
Port Trust
----- -----
1/21 Yes
Ports 1/1-1/14,1/16,1/18-1/20,1/22,2/1-2/22,Trk1-Trk3 are untrusted
Thanks
Best Regards