IP source guard traffic dropped

thedax · ‎05-09-2024

Hi everyone,

I'm trying to configure, on GNS3, the DHCP snooping+IPSG, the last one just for IP filtering.
Anyway, when "ip verify source" is enabled on a port, hosts traffic is dropped regardless the IP DHCP snooping table is apparently correctly filled.
Following some infos.

Switch configuraiton

adasd

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW_D1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
! 
!
!
!
ip dhcp snooping vlan 3,5
no ip dhcp snooping information option
ip dhcp snooping
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
! 
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk allowed vlan 3,5
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
ip dhcp snooping trust
!
interface GigabitEthernet0/1
switchport access vlan 3
switchport mode access
media-type rj45
negotiation auto
ip verify source
!
interface GigabitEthernet0/2
switchport access vlan 5
switchport mode access
media-type rj45
negotiation auto
ip verify source
!
interface GigabitEthernet0/3
switchport access vlan 3
switchport mode access
media-type rj45
negotiation auto
ip verify source
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
ip verify source
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
! 
!
!
!
!

# show ip verify source

SW_D1#show ip verify source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/1      ip           active       deny-all                            3
Gi0/2      ip           active       deny-all                            5
Gi0/3      ip           active       10.0.1.22                           3   
Gi1/0      ip           inactive-no-snooping-vlan

# show ip dhcp snooping

SW_D1#show ip dhcp snooping 
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
3,5
DHCP snooping is operational on following VLANs:
3,5
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 0c3f.f680.ab00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet0/0         yes        yes             unlimited
  Custom circuit-ids:

#show ip dhcp snooping binding

SW_D1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
62:D0:C1:DC:3E:C1   10.0.1.22        6965        dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 1

But ping doesn't works

# ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
From 10.0.1.22 icmp_seq=1 Destination Host Unreachable
From 10.0.1.22 icmp_seq=2 Destination Host Unreachable
From 10.0.1.22 icmp_seq=3 Destination Host Unreachable

but if I cut out "ip verify source" from G0/3, ping start to works correctly.

Any ideas? Thanks in advance

MHM Cisco World · ‎05-09-2024

~~run Port security in one Port with IP verify source~~
~~then check~~

NO need since all IP verify not work

MHM

thedax · ‎05-09-2024

Ty @MHM Cisco World.

I enabled port-security on a port like following but nothing change

interface GigabitEthernet0/3
 switchport access vlan 3
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
 ip verify source
!

MHM Cisco World · ‎05-09-2024

ip verify source vlan dhcp-snooping

thedax · ‎05-09-2024

On IOS version used there isn't that option

SW_D1(config-if)#ip verify source ?
  port-security  port security
  tracking       tracking ip device

MHM Cisco World · ‎05-09-2024

ip verify source port-security

this and run port-security in one port and check ping

SW_D1#show ip verify source

share this

MHM

thedax · ‎05-09-2024

The ping doesn't work yet

SW_D1#show running-config interface G0/3
Building configuration...

Current configuration : 179 bytes
!
interface GigabitEthernet0/3
 switchport access vlan 3
 switchport mode access
 switchport port-security
 media-type rj45
 negotiation auto
 ip verify source port-security
end

SW_D1#show ip verify source             
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/1      ip           active       deny-all                            3
Gi0/2      ip           active       deny-all                            5
Gi0/3      ip-mac       active       10.0.1.22        62:D0:C1:DC:3E:C1  3   
Gi1/0      ip           active       deny-all                            5
SW_D1#

MHM Cisco World · ‎05-09-2024

If you apply Port ACL to l2 port you use and it work then it IPSG issue

If yoh apply PACL and it not work also then it gns3 limitations

IPSG work by add PACL to l2 port.

MHM

Georg Pauwen · ‎05-09-2024

Hello,

I am using the same vIOS_l2 image, it looks like it doesn't work in GNS3. Can you try static bindings (ip source binding) ? Also, make sure 'ip routing' is enabled on your switch (I think in GNS3 it is enabled by default)...

thedax · ‎05-09-2024

ty @Georg Pauwen .
No, I haven't tryed with static beacuse I would intersted in dynamic one, but I'll do a test with static at this point. Anyway should be my setup correct right? So, Could be a GNS3 issue as you already sayd?

Georg Pauwen · ‎05-09-2024

Hello,

the configs look good and this should definitely work on a 'real' switch. I am pretty sure it is a GNS3 bug...