Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1568
Views
5
Helpful
2
Replies

IP SOURCE GUARD ISSUE-HOST CAN ACQUIRE DHCP IP BUT CAN'T PING GATEWAY OR DHCP SERVER

blue phoenix
Level 1
Level 1

‎02-21-2017 10:29 AM - edited ‎03-08-2019 09:26 AM

Hi,

Hi,
I have made a GNS3 network comprising of 3725 routers and IOL Layer3 and Layer 2 switches to simulate a DHCP client host on the other side fo the WAN...
I was able to acquire an IP address with it.
I have configured DHCP snooping and I was able to test the man in the middle attack and prove that the client can again get IP address from the DHCP server. How come whenever I configure ip verify source, I can't ping any of the Gateway? I have tried to use the method mentioned but still it does not work... Is it a bug on IOL or GNS3? Can you please help to test in a live box since I don't have a physical lab to test on at the moment...
Please see diagram
httx://imgur.com/a/74SPr change to http :)

1 person had this problem
Labels:
Preview file
77 KB
0 Helpful
2 Replies 2

Alan Kam
Level 1
Level 1

‎07-25-2017 01:38 AM

I did a workaround to override the problem by adding  ip device tracking maximum <value> ; ip device tracking probe auto-source fallback

ip device tracking probe auto-source fallback 0.0.0.253 255.255.255.0 override

interface fa0/1
 switchport mode access
 switchport port-security maximum 5
 switchport port-security
 ip device tracking maximum 5
 ip verify source port-security

interface Vlan1
 ip address 10.0.0.253 255.255.255.0

Alter the tracking probe source VLAN 1 address to avoid APR source header send out but reply by hosts with duplicated source ip warning.

Enter the ip device tracking probe auto-source

If the switch sends out an ARP Probe for the client while the host (for example, a Microsoft Windows PC) is in its Duplicate-Address Detection phase, the host detects the probe as a duplicate IP address and presents the user with a message that a duplicate IP address was found on the network. The PC might not obtain an address, and the user must manually release/renew the address, disconnect and reconnect to the network, or reboot the PC in order to gain network access.

ip device tracking maintains port ACL in another form in order to keep both static and DHCP client sources verified. Although only static hosts should be configured tracking as described officially--

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port

If you only configure the ip verify source tracking [port-security] interface configuration command on a port without enabling IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with Static Hosts will reject all the IP traffic from that interface.

Byunkook
Level 1
Level 1
In response to Alan Kam

‎06-14-2019 09:21 PM

Thanks! That fixed my problem in GNS3.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card