Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
5
Helpful
6
Replies

How to Disable Static IP Source Guard

Koki Satani
Level 1
Level 1

‎09-08-2022 01:34 AM

Hello.

We are trying to configure DHCP snooping and IP source guard on our L2SW to perform dynamic IP address inspection.

I have completed both configurations and the end node is able to get an address via DHCP.

However, normal communication seems to be blocked by L2SW unless I set the "ip device tracking maximum " command in interface configuration mode.

I am aware that this is the behavior of static IP source guard, but we only have dynamic IP source guard configured on each port.

Is it possible to get DHCP snooping and dynamic IP source guard to work without setting the "ip device tracking maximum" command?

Environment
Cisco Modeling Labs

L2SW -> IOSvL2 version 15.2

config 

 

 

 

 

L2SW
!
ip dhcp snooping vlan 103
no ip dhcp snooping information option
ip dhcp snooping
!
interface GigabitEthernet0/3
switchport access vlan 103
switchport mode access
negotiation auto
ip verify source
!

 

 

 

 


 Obviously, I have not explained it well enough. If you need any additional information, please feel free to ask.

Thank you in advance.

Labels:
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎09-08-2022 02:22 AM

That should work with out that command.

If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.

end device PC or single device.

  ip verify source vlan dhcp-snooping

some reference guide :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swdhcp82.html#wp1078853

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Koki Satani
Level 1
Level 1
In response to balaji.bandi

‎09-08-2022 02:27 AM

 

Thanks for the reply.

I actually tried to type that command, but it seems to be unconfigurable.

KokiSatani_1-1662629240947.png

 

0 Helpful

MHM Cisco World
VIP
VIP

‎09-08-2022 02:33 AM

it work, without max command, 
but let me check how can I solve this issue 

0 Helpful

Koki Satani
Level 1
Level 1
In response to MHM Cisco World

‎09-08-2022 02:42 AM

Thanks for the confirmation.

Below is more detailed information on the configuration I am using for verification.

・The L2SW is a floor switch and DHCP packets are relayed by the core switch on the uplink.

・DHCP snooping is set only on the floor switch.

・DHCP server is created by IOSv.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Koki Satani

‎09-08-2022 04:36 AM

there are two check 
static which you need the below 
""You must configure the ip device tracking maximum limit-number interface configuration command globally for IPSG for static hosts to work. If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface.""

dynamic which depend on DHCP snooping (which you already run)
here you need to config ip verify source vlan dhcp snooping 

I see you run static and that why you need max command 

0 Helpful

Martin L
VIP
VIP

‎09-09-2022 06:36 PM

note that CML image IOSvL2 version 15.2 may not support this feature even if commands are there !

not all features are supported by CML switch image, especially switch images; and some features could be tricky or misbehaving.

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents