Hi Paul,

For now I'm testing this on IOSvL2 with 15.2.1 image, but this is going to be deployed on a range of kit including 2960s and 9200s

Regards

John

Hello

Just to confirm you haven't applied IPSG to any uplinks - Correct?

Hi Paul,

No, it's only on access ports

Hello

I wonder if this is a trait in the vm software, I have a CML  Possibly I could test it also.

can you run a debug and see what results you get.

no ip dhcp snooping information option
debug ip dhcp detail

The dhcp won't work with no ip dhcp snooping information option set. Also, no option of debug ip dhcp detail

debug ip dhcp ?
server          DHCP server activity
snooping     DHCP Snooping

S#debug ip dhcp server ?
binding-store     Binding data store
class                  Class-based address allocation
events                Report address assignments, lease expirations, etc.
linkage               Show database linkage
packet                Decode message receptions and transmissions
redundancy        DHCP server redundancy events
snmp                 DHCP server snmp events

S#debug ip dhcp snoop ?
H.H.H                 DHCP packet MAC address
agent                 DHCP Snooping agent
event                 DHCP Snooping event
packet               DHCP Snooping packet

Port security isn't configured on g0/1, that's an upstream trunk port

S#sh port-sec int g0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

sorry, if it upstream which lead to DHCP server so by the DHCP snooping enable on it?

Yes, so its a trusted port for DHCP Snooping and DAI

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip arp inspection trust
 negotiation auto
 ip dhcp snooping trust
end 

dhcp snooping database entry show MAC address and IP address on Ge0/1 which lead to Server,
the entry is add only If the SW DHCP ACK for ip address request from this port.
what is more detail about this IP address.

The database doesn't have an entry for G0/1. I has an entries for g0/2, g0/3, g1/0, g1/1, g1/2 and g1/3

S#sh ip dhcp snoop bin
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:50:79:66:68:02 10.0.30.6 56576 dhcp-snooping 30 GigabitEthernet1/0
00:50:79:66:68:04 10.0.51.6 77275 dhcp-snooping 51 GigabitEthernet1/2
00:50:79:66:68:03 10.0.50.6 78272 dhcp-snooping 50 GigabitEthernet1/1
00:50:79:66:68:05 10.0.52.6 79735 dhcp-snooping 52 GigabitEthernet1/3
00:50:79:66:68:01 10.0.20.6 77224 dhcp-snooping 20 GigabitEthernet0/3
00:50:79:66:68:00 10.0.10.7 78129 dhcp-snooping 10 GigabitEthernet0/2
Total number of bindings: 6

Hello
Just an update on this, I tested this in CML and it does seem to suggest IPSG is a bit flaky running on this vm code, DHCP snooping/DAI work okay although with DHCP snooping/DAI and IPSG I was able still able obtain dhcp allocation without any problem

However I noticed even having identical dynamic entries into the snooping/source binding tables I wasn’t able to ping anything which i wouldnt expect unless I those host mac/ip addresses changed and didnt reflect the entites of both tables, which seems wrong but if I statically entered the same binding entry manually and enabled device tracking on the access port (as you would for static address assignment), I was able successfully reach other devices, locally or remotely, sggesting the by default in this lab both snooping/source tables were not being read successfully by the switches and only bypassing them with static enties worked.

sh ver | in Soft

Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20190423)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  V152_6_0_81_E

ip dhcp snooping vlan 1,10,20,30
no ip dhcp snooping information option
ip dhcp snooping

ip arp inspection vlan 1,10,20,30
ip arp inspection trust

interface GigabitEthernet0/0
 switchport access vlan 10
switchport mode access
switchport port-security
spanning-tree portfast edge
ip verify source port-security

sh ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
52:54:00:17:7D:22   192.168.10.2     5186    static          10    GigabitEthernet0/0

sh ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/0      ip-mac       active       192.168.10.2     52:54:00:17:7D:22  10    < --------icmp doesn’t work

However changing to a static IPSG entry I obtain reachability

interface GigabitEthernet0/0
 switchport access vlan 10
switchport mode access
switchport port-security
ip device tracking maximum 5
spanning-tree portfast edge
ip verify source tracking port-security

ip source binding 5254.0017.7D22 vlan 10 192.168.10.2 interface Gi0/0

sh ip source bi
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
52:54:00:17:7D:22 192.168.10.2 infinite static 10 GigabitEthernet0/0

sh ip ver source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/0      ip-mac trk   active       192.168.10.2     52:54:00:17:7D:22  10

Thanks Paul,

I've got some live kit I can try it out on next week, so I'll try the same config on that and see what happens

Regards

John