Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

Instant Access and IP Source Guard issue

andrewswanson
Level 7
Level 7

‎11-25-2015 06:52 AM - edited ‎03-08-2019 02:50 AM

Hello
I'm trying to get IP Source Guard working on a cisco Instant Access client switch (parent switch ios is s2t54-ipservicesk9-mz.SPA.152-1.SY1a.bin)

DHCP snooping is enabled and I can see the binding ok but when I enable "ip verify source vlan dhcp-snooping" on the Instant Access interface source guard drops all traffic from the attached client.

The "show ip verify source interface" shows the ip-mac binding ok.

I moved the client onto a non instant access interface on the parent switch and the same interface config worked as expected.

How can I get Source guard working on an Instant Access interface?

Thanks
Andy

Non Instant Access interface (Source Guard allows traffic):

Interface  Filter-type      Filter-mode  IP-address       Mac-address        Vlan
---------  -------------    -----------  ---------------  -----------------  ----------
Te1/1/6    ip-mac           active       10.92.1.86       E8:E0:B7:5A:77:5C  101
Total ip-mac binding on interface Te1/1/6: 1


MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
E8:E0:B7:5A:77:5C   10.92.1.86       44          dhcp-snooping   101   TenGigabitEthernet1/1/6

Instant Access client interface (Source Guard denies traffic):

Interface  Filter-type      Filter-mode  IP-address       Mac-address        Vlan
---------  -------------    -----------  ---------------  -----------------  ----------
Gi102/1/0  ip-mac           active       10.92.1.86       E8:E0:B7:5A:77:5C  101
Total ip-mac binding on interface Gi102/1/0/1: 1

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
E8:E0:B7:5A:77:5C   10.92.1.86       39          dhcp-snooping   101   GigabitEthernet102/1/0/1
Total number of bindings: 1


Switch config excerpt:

ip dhcp snooping vlan 101
no ip dhcp snooping information option
ip dhcp snooping

!
interface TenGigabitEthernet1/1/6 (non instant access interface)
 switchport
 switchport mode access
 switchport access vlan 101
 ip verify source vlan dhcp-snooping

!
interface GigabitEthernet102/1/0/1 (instant access interface)
 switchport
 switchport trunk allowed vlan 1
 switchport mode access
 switchport access vlan 101
 ip verify source vlan dhcp-snooping

Labels:
0 Helpful
1 Reply 1

OQ
Level 4
Level 4

‎04-19-2016 01:56 PM

Hi, 

Did you find out what it was? I am curious why you negated ip dhcp snooping information option. Is your DHCP server IOS based or Windows. 

Regards, 


Osvaldo

0 Helpful
Customers Also Viewed These Support Documents