12-17-2021 04:24 AM
Hi All,
I'm trying to get source guard working. I've configured DHCP Snooping and DAI and they are working fine. I've tried to configure IPSG with just IP and also IP and MAC verification. When I'm just using IP verification the pings from host to gateway timeout, when I add MAC verification they change to unreachable. The following config is on the access ports:-
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
ip arp inspection limit rate 10
negotiation auto
ip verify source port-security
ip dhcp snooping limit rate 20
end
The results of show ip verify source:-
S#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/2 ip-mac active 10.0.10.7 00:50:79:66:68:00 10
Gi0/3 ip-mac active 10.0.20.6 00:50:79:66:68:01 20
Gi1/0 ip-mac active 10.0.30.6 00:50:79:66:68:02 30
Gi1/1 ip-mac active 10.0.50.6 00:50:79:66:68:03 50
Gi1/2 ip-mac active 10.0.51.6 00:50:79:66:68:04 51
Gi1/3 ip-mac active 10.0.52.6 00:50:79:66:68:05 52
The results of show ip dhcp snoop binding :-
S#sh ip dhcp snoop bin
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:50:79:66:68:02 10.0.30.6 56576 dhcp-snooping 30 GigabitEthernet1/0
00:50:79:66:68:04 10.0.51.6 77275 dhcp-snooping 51 GigabitEthernet1/2
00:50:79:66:68:03 10.0.50.6 78272 dhcp-snooping 50 GigabitEthernet1/1
00:50:79:66:68:05 10.0.52.6 79735 dhcp-snooping 52 GigabitEthernet1/3
00:50:79:66:68:01 10.0.20.6 77224 dhcp-snooping 20 GigabitEthernet0/3
00:50:79:66:68:00 10.0.10.7 78129 dhcp-snooping 10 GigabitEthernet0/2
Total number of bindings: 6
From what I understand, this all looks right, however no traffic, including DHCP traffic, is allowed and the debug output for ip verify source packets shows this :-
*Dec 16 15:16:34.342: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 0, handle flag: 1.
*Dec 16 15:16:34.343: DHCP_SECURITY_SW: validate port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, mac: 0050.7966.6802, invalid flag: 0.
*Dec 16 15:16:34.343: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 1, handle flag: 0.
*Dec 16 15:16:35.332: DHCP_SECURITY_SW: receive port security packet, recv port: GigabitEthernet1/0, recv vlan: 30, consume flag: 0, handle flag: 1.
If anyone one has any pointers on how to fix this it would be greatly appreciated
12-17-2021 04:19 PM
Hello @jlimbo987
I think that would be best , FYI -I have tested all 3 features together on real hardware be it only on old 3x 3750s and it does indeed work without any issues..
Please let use know how you get on.
12-17-2021 04:33 PM
Thanks Paul, I will. Got some shiny new 9200s to try it on on Monday
12-17-2021 04:25 PM
sorry last thing, GW for the PC is it same Agg SW?
12-17-2021 04:33 PM
Yes, gateway is an HSRP group ip address pointing to SVIs on the agg switch
12-18-2021 04:48 PM
Hi friend,
since you use IP guard and verify IP+Mac, you need Op-82 in SW and Agg SW to make IP guard work.
12-19-2021 03:14 AM
Hello
@MHM Cisco World wrote:
since you use IP guard and verify IP+Mac, you need Op-82 in SW and Agg SW to make IP guard work.
Can you explain the reasoning as I tend to disagree, Wouldnt you want to disable option 82 insertion not enable it, - no ip dhcp snooping information option
12-19-2021 04:46 AM
I will answer you with my pleasure Sir,
12-19-2021 04:43 AM
Paul's right. The ip dhcp snooping information option tells DHCP snooping that DHCP messages with Option 82 info set are expected via the trusted port and messages without Op 82 will be dropped. That is therefore needed only if the switch its being configured on is a relay agent.
If the switch isn't a relay agent, as it isn't here, no ip dhcp snooping information option is used so that DHCP messages with option 82 are dropped and those without permitted.
This is borne out by the fact that in this set up, DHCP fails without no ip dhcp snooping information option being used
12-19-2021 04:48 AM
read my comment above
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide