Solved: Difference between ip verify source and ip verify source port security

mahesh18 · ‎03-12-2011

Hi all,

We can enable ip source guard by command

ip source under interface command.

but also we have command

ip verify source port-security which we can also use under interface.

i have used both commands and here is output

3550SMIA#                                                   sh ip verify source
Interface Filter-type Filter-mode IP-address       Mac-address        Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/15     ip-mac       active       192.168.20.18    permit-all         20
Fa0/20     ip           active       192.168.20.28                       20
Fa0/20     ip           active       192.168.20.62                       20

i need to know the difference between two commands ip verify source and ip verify source port security

Also under filter type why we have ip-mac and under mac address why it shows permit-all

thanks

mahesh

Reza Sharifi · ‎03-12-2011

Mahesh,

"ip verify source" enable ip source guard with source IP filtering
and 
ip verify source port-security enable ip source guard with source IP and MAC address filtering


Here is the link to the command reference guide:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4288514


HTH
Reza

View solution in original post

Peter Paluch · ‎03-12-2011

Hi Mahesh,

I see. Nevertheless, in DHCPv4, there is no message that could force a client to renew its DHCP lease. Thus, the only action we can trigger is a disconnect/reconnect event. Most DHCP clients will renew their lease as a result.

Best regards,

Peter

View solution in original post

Reza Sharifi · ‎03-12-2011

Mahesh,

"ip verify source" enable ip source guard with source IP filtering
and 
ip verify source port-security enable ip source guard with source IP and MAC address filtering


Here is the link to the command reference guide:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4288514


HTH
Reza

mahesh18 · ‎03-12-2011

Hi Reza

thanks for reply.

this is what i did

from gloabl config mode i run command

no ip dhcp snooping

then i enable it by

ip dhcp snooping

but now i see no dhcp snooping binding

Mar 12 14:01:09.900 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:09 MST Sat Mar 12 2011])
Mar 12 14:01:10.900 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:10 MST Sat Mar 12 2011])
Mar 12 14:01:33.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:33 MST Sat Mar 12 2011])
Mar 12 14:01:34.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:34 MST Sat Mar 12 2011])
Mar 12 14:01:34.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:34 MST Sat Mar 12 2011])
Mar 12 14:01:35.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:35 MST Sat Mar 12 2011])
Mar 12 14:01:35.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:35 MST Sat Mar 12 2011])
Mar 12 14:01:36.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:36 MST Sat Mar 12 2011])
Mar 12 14:01:37.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:37 MST Sat Mar 12 2011])
Mar 12 14:01:37.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:37 MST Sat Mar 12 2011])
Mar 12 14:01:38.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/f4ce.4667.9b45/192.168.20.28/14:01:38 MST Sat Mar 12 2011])
Mar 12 14:01:38.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:38 MST Sat Mar 12 2011])
Mar 12 14:01:39.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:39 MST Sat Mar 12 2011])
Mar 12 14:01:40.905 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/15, vlan 20.([0040.f418.6d8a/192.168.20.18/0000.0000.0000/192.168.20.1/14:01:40 MST Sat Mar 12 2011])
3550SMIA# sh ip dhcp sno
3550SMIA# sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30,40
DHCP snooping is operational on following VLANs:
10,20,30,40
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/8              yes         unlimited
3550SMIA#                           sh ip dhcp snooping bin
3550SMIA#                           sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec) Type           VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

3550SMIA#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/15 ip-mac active deny-all permit-all 20

How can i see the entried in sh ip dhcp snooping binding again ?

thanks

Peter Paluch · ‎03-12-2011

Mahesh,

How can i see the entried in sh ip dhcp snooping binding again ?

Your connected stations must renew their DHCP leases. As you have deactivated the DHCP Snooping, the database created from observing the DHCP messages was emptied. After you reactivate the snooping, the database must be populated again which will happen only by observing the DHCP messaging.

Best regards,

Peter

mahesh18 · ‎03-12-2011

Hi Peter,

Thanks for reply.

How can from switch i can refesh their leases?

mahesh

Peter Paluch · ‎03-12-2011

Hi Mahesh,

The only way to force the stations to refresh their leases from a switch is to shutdown the corresponding ports, wait a certain time for the operating system on the stations to recognize that the connection is not valid (let's say a minute or so), and then reactivate the ports again. The stations will react as if they have been disconnected and reconnected to the network, and will reacquire their IP settings.

Apart from that, a switch cannot force a station to renegotiate its IP settings via DHCP.

Best regards,

Peter

mahesh18 · ‎03-12-2011

Hi Peter,

LEt me give it shot.

will update you.

mahesh18 · ‎03-12-2011

Hi Peter,

just let you know this 3550 switch is acting as dhcp server.

thanks

mahesh

Peter Paluch · ‎03-12-2011

Hi Mahesh,

I see. Nevertheless, in DHCPv4, there is no message that could force a client to renew its DHCP lease. Thus, the only action we can trigger is a disconnect/reconnect event. Most DHCP clients will renew their lease as a result.

Best regards,

Peter

mahesh18 · ‎03-12-2011

Hi Peter and Reza,

Thanks again for all your help.

regards

mahesh