cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
216
Views
0
Helpful
0
Replies
Netmart
Beginner

IP Security Guard blocking ARP requests of client

Hello,

As soon as IPSG is enabled, it looks like that ARP requests are not replied by switch anymore. Although, DHCP onboarding process does still work; see outputs below.

Note that this is Cisco VIRL:

 

Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180619)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E

 

 

Please extract of config and debugs below:

 

Thanks,

 

 

interface GigabitEthernet0/2
description DHCP
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3eca.5143
switchport port-security
ip arp inspection limit rate 100
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip dhcp snooping limit rate 5

 

interface GigabitEthernet0/3

description Static
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3e82.bd0e
switchport port-security
ip arp inspection limit rate 100
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source port-security
ip dhcp snooping limit rate 5
!
interface GigabitEthernet1/0

description Static
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3e19.1773
switchport port-security
ip arp inspection limit rate 100

 

++++++++++++++++++++++++++++++++++

 

switch#sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi0/2      ip-mac       active       10.4.1.101       FA:16:3E:CA:51:43  2

Gi0/3      ip-mac       active       10.1.4.2         FA:16:3E:82:BD:0E  2

Gi1/0      ip-mac       active       10.1.4.3         FA:16:3E:CC:72:1E  2

 

 

switch#sh port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Gi0/2              1            1                  0         Shutdown

      Gi0/3              1            1                  0         Shutdown

      Gi1/0              1            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 4096

 

 

switch#sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

FA:16:3E:CA:51:43   10.4.1.101       84693       dhcp-snooping   2     GigabitEthernet0/2

Total number of bindings: 1

 

 

switch#sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi0/2      ip-mac       active       10.4.1.101       FA:16:3E:CA:51:43  2

Gi0/3      ip-mac       active       10.1.4.2         FA:16:3E:82:BD:0E  2

Gi1/0      ip-mac       active       10.1.4.3         FA:16:3E:CC:72:1E  2

 

 

switch#sh port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Gi0/2              1            1                  0         Shutdown

      Gi0/3              1            1                  0         Shutdown

      Gi1/0              1            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 4096

 

 

switch#sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

FA:16:3E:CA:51:43   10.4.1.101       84693       dhcp-snooping   2     GigabitEthernet0/2

Total number of bindings: 1


media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source port-security
ip dhcp snooping limit rate 5
!

 

-------------------------

 

switch#ping 10.4.1.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.1.101, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

:~$ sudo tcpdump -i eth1 icmp

04:00:12.689990 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 0, length 80

04:00:14.691666 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 1, length 80

04:00:16.692246 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 2, length 80

04:00:18.693024 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 3, length 80

04:00:20.693628 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 4, length 80

 

 

:~$ sudo tcpdump -i eth1 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

05:20:32.962488 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

05:20:33.960160 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

05:20:34.960120 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

 

+++++++++++++++++++++++++++++++++

 

*Apr 11 05:30:46.131: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.131: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/2)

*Apr 11 05:30:46.135: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.135: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.135: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/2, MAC da

*Apr 11 05:30:46.131: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.131: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/2)

*Apr 11 05:30:46.135: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.135: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.135: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/2, MAC da

 

 

ip source binding FA16.3ECC.721E vlan 2 10.1.4.3 interface Gi1/0
ip source binding FA16.3E82.BD0E vlan 2 10.1.4.2 interface Gi0/3
!
arp access-list DAI-StaticIPs
permit ip host 10.4.1.2 mac host fa16.3e82.bd0e
permit ip host 10.4.1.3 mac host fa16.3e19.1773

 

 

0 REPLIES 0