topic Re: How to Disable Static IP Source Guard in Endpoint Security

How to Disable Static IP Source Guard

Koki Satani — Thu, 08 Sep 2022 08:34:28 GMT

Hello.

We are trying to configure DHCP snooping and IP source guard on our L2SW to perform dynamic IP address inspection.

I have completed both configurations and the end node is able to get an address via DHCP.

However, normal communication seems to be blocked by L2SW unless I set the "ip device tracking maximum " command in interface configuration mode.

I am aware that this is the behavior of static IP source guard, but we only have dynamic IP source guard configured on each port.

Is it possible to get DHCP snooping and dynamic IP source guard to work without setting the "ip device tracking maximum" command?

Environment
Cisco Modeling Labs

L2SW -> IOSvL2 version 15.2

config

L2SW ! ip dhcp snooping vlan 103 no ip dhcp snooping information option ip dhcp snooping ! interface GigabitEthernet0/3 switchport access vlan 103 switchport mode access negotiation auto ip verify source !

Obviously, I have not explained it well enough. If you need any additional information, please feel free to ask.

Thank you in advance.

Re: How to Disable Static IP Source Guard

balaji.bandi — Thu, 08 Sep 2022 09:22:24 GMT

That should work with out that command.

If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.

end device PC or single device.

  ip verify source vlan dhcp-snooping

some reference guide :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swdhcp82.html#wp1078853

Re: How to Disable Static IP Source Guard

Koki Satani — Thu, 08 Sep 2022 09:27:31 GMT

Thanks for the reply.

I actually tried to type that command, but it seems to be unconfigurable.

Re: How to Disable Static IP Source Guard

MHM Cisco World — Thu, 08 Sep 2022 09:33:35 GMT

it work, without max command,
but let me check how can I solve this issue

Re: How to Disable Static IP Source Guard

Koki Satani — Thu, 08 Sep 2022 09:42:39 GMT

Thanks for the confirmation.

Below is more detailed information on the configuration I am using for verification.

・The L2SW is a floor switch and DHCP packets are relayed by the core switch on the uplink.

・DHCP snooping is set only on the floor switch.

・DHCP server is created by IOSv.

Re: How to Disable Static IP Source Guard

MHM Cisco World — Thu, 08 Sep 2022 11:36:38 GMT

there are two check
static which you need the below
""You must configure the ip device tracking maximum limit-number interface configuration command globally for IPSG for static hosts to work. If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface.""

dynamic which depend on DHCP snooping (which you already run)
here you need to config ip verify source vlan dhcp snooping

I see you run static and that why you need max command

Re: How to Disable Static IP Source Guard

Martin L — Sat, 10 Sep 2022 01:36:53 GMT

note that CML image IOSvL2 version 15.2 may not support this feature even if commands are there !

not all features are supported by CML switch image, especially switch images; and some features could be tricky or misbehaving.

Regards, ML
**Please Rate All Helpful Responses **