cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
678
Views
0
Helpful
0
Replies
edwardwaithaka
Beginner

How to make DHCP Snooping Rate Limit and Port Security Work Concurrently

Hi,

I have the below config which is not working as I expect it to.

When I run a DHCP DISCOVER DoS, the port doesn't shutdown when port security is enabled leading to users not getting DHCP IPs. Output is below;


interface GigabitEthernet1/0/1
 switchport access vlan ABC
 switchport mode access
 switchport block unicast
 switchport voice vlan DEF
 ip dhcp snooping limit rate 15
 switchport port-security maximum 3
 switchport port-security maximum 2 vlan access
 switchport port-security violation restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 load-interval 30
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

SWITCH(config-if)#
009360: .Aug  7 18:49:59.485 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address a6bd.7476.99fb on port GigabitEthernet1/0/1.
SWITCH(config-if)#
009361: .Aug  7 18:50:00.441 EAT: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Gi1/0/1. A packet filter action has been applied on the interface.
SWITCH(config-if)#
009362: .Aug  7 18:50:04.550 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f295.830e.6641 on port GigabitEthernet1/0/1.
009364: .Aug  7 18:50:09.550 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 3cf3.386c.7bc8 on port GigabitEthernet1/0/1.
SWITCH(config-if)#
009365: .Aug  7 18:50:15.337 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 12bd.8c30.8201 on port GigabitEthernet1/0/1.
009366: .Aug  7 18:50:20.663 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1ca2.9534.4157 on port GigabitEthernet1/0/1.
SWITCH(config-if)#
009367: .Aug  7 18:50:26.113 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address b811.f26c.3e56 on port GigabitEthernet1/0/1.
009368: .Aug  7 18:50:31.994 EAT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 2204.c355.ba74 on port GigabitEthernet1/0/1.
SWITCH(config-if)#

When I disable all features apart from DHCP rate limit, the port shuts down.

0 REPLIES 0
Content for Community-Ad

This widget could not be displayed.