03-25-2008 10:04 AM - edited 03-09-2019 08:21 PM
Hello,
I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.
I've configured port-security, DHCP Snooping and DAI and they all work as expected.
However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!
One thing to note is that the DHCP server is on the switch itself and not on a port.
Does anyone know if this is the correct behaviour???
Thanks.
03-26-2008 11:41 PM
Hi Steve,
I don't have experience with the situation where the DHCP server is on the same switch.
But the problem with the ip source guard probably can be solved with the following configuration:
conf t
ip dhcp snooping
ip dhcp snooping vlan x,y,z
ip dhcp snooping information option.
The DHCP offer is dropped because the switch does not know which port to forward the dhcp offer to.
Information option helps solve this problem.
Try this and please inform me if this is successful.
Thank you:
Istvan
03-27-2008 01:39 AM
Hi Istvan,
Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)
I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.
Here is the relevant config:
ip dhcp excluded-address 172.21.1.254
!
ip dhcp pool Users
network 172.21.1.0 255.255.255.0
default-router 172.21.1.254
lease 0 0 5
!
ip dhcp snooping vlan 2
ip dhcp snooping database tftp://172.21.1.250/test-sw-dhcpDB
ip dhcp snooping
ip arp inspection vlan 2
interface GigabitEthernet1/0/4
description Laptop
switchport access vlan 2
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source port-security
ip dhcp snooping limit rate 10
!
interface Vlan2
ip address 172.21.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.
Thanks, Steve
03-27-2008 10:45 AM
Thank you Steve,
I think this explains the abnormal behavior.
It is good you provided this info, because during the day I was thinking several times about this problem. Now, my mind will be freed from this :)
Cheers:
Istvan
03-27-2008 01:04 PM
Ha! I know that feeling very well. Issues like this one make me doubt my understanding. I automatically think I've configured things wrongly or not understood something when all along it's a bug!
Thanks, Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide