VSA RADIUS Support for DHCP Snooping and ARP Validation

RADIUS support for DHCP DHCP snooping and ARP validation allows users transitioning from Ethernet Routing Switch to ExtremeXOS at Edge with Fabric Attach using RADIUS to dynamically configure port security through RADIUS VSA Attributes. ExtremeXOS can provision items via RADIUS VSA Attributes currently supported with ERS switching. Dynamic configuration can be applied to the following VLAN settings:

The RADIUS user configuration attributes for VLAN settings can specify a single VLAN or a range of VLANs for each setting request. The RADIUS user configuration attributes, which request the settings, include:

This FA-Service-Request attribute contains a DHCP Snoop and ARP Validation enable status for VLAN. When a new user is authenticated by netlogin, the new attributes of the DHCP Snoop and ARP Validation enable is given to netlogin. Netlogin will process and send the attribute message to the IP Security module as "enable". If all users are unauthenticated by netlogin, a disable message for the VLAN will be sent to IP Security. RADIUS configuration is applicable for both static and dynamic VLANs.

Whenever a DHCP Snooping or ARP Validation configuration is received from RADIUS, IP Security will enable the feature on all the ports in VLAN with the violation action "Drop-packet."

RADIUS Configuration Over ExtremeXOS CLI

RADIUS configuration takes precedence over ExtremeXOS CLI. Once RADIUS configuration is applied for a VLAN, any CLI command action (for example disable DHCP snoop for a port or changing violation action) will be ignored, but the configuration will be saved. Once the RADIUS configuration is disabled, CLI configuration will be applied. The following tables summarize the various DHCP snoop configuration actions with respect to ExtremeXOS CLI and RADIUS configurations. The same configuration actions are also applicable for ARP Validation.

The following command equivalencies exist for RADIUS configurations received for a VLAN:

DHCPSNOOP:<vid> is equivalent to enable ip-security dhcp-snooping vlan default ports all violation-action drop-packet

DAI:<vid> is equivalent to enable ip-security arp validation Default ports all violation-action drop-packet

Table 1. EXOS CLI Configuration over RADIUS Configuration Actions
ExtremeXOS CLI configuration RADIUS configuration Configuration action
Enable DHCP snooping for a VLAN and all VLAN ports with the violation action “None" Enable DHCP snooping for a VLAN DHCP snooping will be enabled for all VLAN ports with the violation action “Drop packet”
Enable DHCP snooping for a VLAN but not all ports Enable DHCP snooping for a VLAN DHCP snooping will be enabled for all VLAN ports with the violation action “Drop packet”
Disable DHCP snooping for a VLAN and all its ports Enable DHCP snooping for a VLAN DHCP snooping will be enabled for all VLAN ports with the violation action “Drop packet”
Table 2. RADIUS Configuration over EXOS CLI Configuration Actions
RADIUS configuration ExtremeXOS CLI Configuration Configuration action
Enable DHCP snooping for a VLAN Disable DHCP snooping for a VLAN and all its port. DHCP snooping will be enabled for all VLAN ports with violation action as "Drop packet".
Enable DHCP snooping for a VLAN Modify DHCP snoop violation action for VLAN to “port-block permanently” DHCP snooping will be enabled for all VLAN ports with violation action as "Drop packet".