From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Mon Dec 10 2007 - 09:27:53 ART
Hi Group,
I've working a bit on implementing some LAN switch security features
like port-security, DHCP snooping, Dynamic ARP inspection, and IP Source
Guard, and I'm observing a behaviour that I'd like to correlate with any
of you that has had the same experience, eventually.
I have a single switch configured with DHCP snooping DAI, IP Source
Guard and Port Security.
DHCP snooping is enabled on vlans A,B,C, and so are IPSg and DAI.
Multicast will be enabled on vlans X and Y.
The multicast config is as simple as it gets with several interfaces
Vlan, configured with PIM Dense mode, being a source on one vlan and a
listener on other vlan. I do have IGMP Snooping active.
None of the vlans involved in multicast (X,Y) have the security
functionalities enabled.
Any way, we disable globally the DHCP snooping with no ip dhcp snooping
and no ip arp inspection.
Then I fire up a multicast stream between vlans X and Y and I start
seeing the stream perfectly.
As soon as I turn on dhcp snooping (not on vlans X and Y) the video
stream freezes.
The strange thing is that the vlans X and Y shouldn't be affected by
DHCP Snooping... but they are...
Obviously, when I try to fire up a mcast stream between vlan A and B,
with securities in place, I don't ever start to see the stream. As soon
as DHCP snooping is off, no problem...
Has anyone ever faced this issue? What was the workaround?
I'm thinking that internally the DHCP snooping process does not like to
have the CAM manipulated in order to forward the mcast traffic to the
proper receivers, but shouldn't there be a knob of some sort to allow
multicast traffic through the port?
Any help is appreciated.
Gustavo Novais
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST