Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
538
Views
0
Helpful
0
Replies

IP Security Guard blocking ARP requests of client

Netmart
Level 3
Level 3

‎04-10-2020 11:54 PM

Hello,

As soon as IPSG is enabled, it looks like that ARP requests are not replied by switch anymore. Although, DHCP onboarding process does still work; see outputs below.

Note that this is Cisco VIRL:

 

Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180619)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E

 

 

Please extract of config and debugs below:

 

Thanks,

 

 

interface GigabitEthernet0/2
description DHCP
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3eca.5143
switchport port-security
ip arp inspection limit rate 100
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip dhcp snooping limit rate 5

 

interface GigabitEthernet0/3

description Static
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3e82.bd0e
switchport port-security
ip arp inspection limit rate 100
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source port-security
ip dhcp snooping limit rate 5
!
interface GigabitEthernet1/0

description Static
switchport access vlan 2
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky fa16.3e19.1773
switchport port-security
ip arp inspection limit rate 100

 

++++++++++++++++++++++++++++++++++

 

switch#sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi0/2      ip-mac       active       10.4.1.101       FA:16:3E:CA:51:43  2

Gi0/3      ip-mac       active       10.1.4.2         FA:16:3E:82:BD:0E  2

Gi1/0      ip-mac       active       10.1.4.3         FA:16:3E:CC:72:1E  2

 

 

switch#sh port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Gi0/2              1            1                  0         Shutdown

      Gi0/3              1            1                  0         Shutdown

      Gi1/0              1            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 4096

 

 

switch#sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

FA:16:3E:CA:51:43   10.4.1.101       84693       dhcp-snooping   2     GigabitEthernet0/2

Total number of bindings: 1

 

 

switch#sh ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi0/2      ip-mac       active       10.4.1.101       FA:16:3E:CA:51:43  2

Gi0/3      ip-mac       active       10.1.4.2         FA:16:3E:82:BD:0E  2

Gi1/0      ip-mac       active       10.1.4.3         FA:16:3E:CC:72:1E  2

 

 

switch#sh port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Gi0/2              1            1                  0         Shutdown

      Gi0/3              1            1                  0         Shutdown

      Gi1/0              1            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 4096

 

 

switch#sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

FA:16:3E:CA:51:43   10.4.1.101       84693       dhcp-snooping   2     GigabitEthernet0/2

Total number of bindings: 1


media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source port-security
ip dhcp snooping limit rate 5
!

 

-------------------------

 

switch#ping 10.4.1.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.1.101, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

:~$ sudo tcpdump -i eth1 icmp

04:00:12.689990 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 0, length 80

04:00:14.691666 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 1, length 80

04:00:16.692246 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 2, length 80

04:00:18.693024 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 3, length 80

04:00:20.693628 IP 10.4.1.100 > 10.4.1.101: ICMP echo request, id 3, seq 4, length 80

 

 

:~$ sudo tcpdump -i eth1 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

05:20:32.962488 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

05:20:33.960160 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

05:20:34.960120 ARP, Request who-has 10.4.1.100 tell 10.4.1.101, length 28

 

+++++++++++++++++++++++++++++++++

 

*Apr 11 05:30:46.131: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.131: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/2)

*Apr 11 05:30:46.135: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.135: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.135: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/2, MAC da

*Apr 11 05:30:46.131: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.131: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.134: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/2)

*Apr 11 05:30:46.135: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/2 mac_addr = fa16.3eca.5143 vlanid = 2

*Apr 11 05:30:46.135: PSECURE: mac-address fa16.3eca.5143 is already configured on this interface.

*Apr 11 05:30:46.135: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/2, MAC da

 

 

ip source binding FA16.3ECC.721E vlan 2 10.1.4.3 interface Gi1/0
ip source binding FA16.3E82.BD0E vlan 2 10.1.4.2 interface Gi0/3
!
arp access-list DAI-StaticIPs
permit ip host 10.4.1.2 mac host fa16.3e82.bd0e
permit ip host 10.4.1.3 mac host fa16.3e19.1773

 

 

Labels:
0 Helpful
0 Replies 0
Top