Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4281
Views
15
Helpful
23
Replies

IP Source Guard Issues

jlimbo987
Level 1
Level 1

‎12-17-2021 04:24 AM

Hi All,

 

I'm trying to get source guard working. I've configured DHCP Snooping and DAI and they are working fine. I've tried to configure IPSG with just IP and also IP and MAC verification. When I'm just using IP verification the pings from host to gateway timeout, when I add MAC verification they change to unreachable. The following config is on the access ports:-

 

interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
ip arp inspection limit rate 10
negotiation auto
ip verify source port-security
ip dhcp snooping limit rate 20
end

 

The results of show ip verify source:-

 

S#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/2 ip-mac active 10.0.10.7 00:50:79:66:68:00 10
Gi0/3 ip-mac active 10.0.20.6 00:50:79:66:68:01 20
Gi1/0 ip-mac active 10.0.30.6 00:50:79:66:68:02 30
Gi1/1 ip-mac active 10.0.50.6 00:50:79:66:68:03 50
Gi1/2 ip-mac active 10.0.51.6 00:50:79:66:68:04 51
Gi1/3 ip-mac active 10.0.52.6 00:50:79:66:68:05 52

 

The results of show ip dhcp snoop binding :-

S#sh ip dhcp snoop bin
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:50:79:66:68:02 10.0.30.6 56576 dhcp-snooping 30 GigabitEthernet1/0
00:50:79:66:68:04 10.0.51.6 77275 dhcp-snooping 51 GigabitEthernet1/2
00:50:79:66:68:03 10.0.50.6 78272 dhcp-snooping 50 GigabitEthernet1/1
00:50:79:66:68:05 10.0.52.6 79735 dhcp-snooping 52 GigabitEthernet1/3
00:50:79:66:68:01 10.0.20.6 77224 dhcp-snooping 20 GigabitEthernet0/3
00:50:79:66:68:00 10.0.10.7 78129 dhcp-snooping 10 GigabitEthernet0/2
Total number of bindings: 6

 

From what I understand, this all looks right, however no traffic, including DHCP traffic, is allowed and the debug output for ip verify source packets shows this :-

 

*Dec 16 15:16:34.342: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 0, handle flag: 1.
*Dec 16 15:16:34.343: DHCP_SECURITY_SW: validate port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, mac: 0050.7966.6802, invalid flag: 0.
*Dec 16 15:16:34.343: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 1, handle flag: 0.
*Dec 16 15:16:35.332: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 0, handle flag: 1.

 

If anyone one has any pointers on how to fix this it would be greatly appreciated

 

Labels:
23 Replies 23

paul driver
VIP
VIP
In response to jlimbo987

‎12-17-2021 04:19 PM

Hello @jlimbo987 

I think that would be best , FYI -I have tested all 3 features together on real hardware be it only on old 3x 3750s and it does indeed work without any issues..

Please let use know how you get on.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

jlimbo987
Level 1
Level 1
In response to paul driver

‎12-17-2021 04:33 PM

Thanks Paul, I will. Got some shiny new 9200s to try it on on Monday

0 Helpful

MHM Cisco World
VIP
VIP

‎12-17-2021 04:25 PM

sorry last thing, GW for the PC is it same Agg SW?

0 Helpful

jlimbo987
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2021 04:33 PM

Yes, gateway is an HSRP group ip address pointing to SVIs on the agg switch

0 Helpful

MHM Cisco World
VIP
VIP
In response to jlimbo987

‎12-18-2021 04:48 PM

Hi friend, 
since you use IP guard and verify IP+Mac, you need Op-82 in SW and Agg SW to make IP guard work.

0 Helpful

paul driver
VIP
VIP
In response to MHM Cisco World

‎12-19-2021 03:14 AM

Hello

@MHM Cisco World wrote:

since you use IP guard and verify IP+Mac, you need Op-82 in SW and Agg SW to make IP guard work.

Can you explain the reasoning as I tend to disagree, Wouldnt you want to disable option 82 insertion not enable it, - no ip dhcp snooping information option 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP
In response to paul driver

‎12-19-2021 04:46 AM

I will answer you with my pleasure Sir,ghghg.pnggjkdfgjdkfjgdlf.png

0 Helpful

jlimbo987
Level 1
Level 1

‎12-19-2021 04:43 AM

Paul's right. The ip dhcp snooping information option tells DHCP snooping that DHCP messages with Option 82 info set are expected via the trusted port and messages without Op 82 will be dropped. That is therefore needed only if the switch its being configured on is a relay agent. 

If the switch isn't a relay agent, as it isn't here, no ip dhcp snooping information option is used so that DHCP messages with option 82 are dropped and those without permitted.

This is borne out by the fact that in this set up, DHCP fails without no ip dhcp snooping information option being used

0 Helpful

MHM Cisco World
VIP
VIP
In response to jlimbo987

‎12-19-2021 04:48 AM

read my comment above 

0 Helpful
Customers Also Viewed These Support Documents