IP Source Guard with MAC (Port Security)

herbert.aichhorn · ‎05-31-2007

Hello All

have strange problems on 12.2(25)SEE3.

IP Source Guard with MAC Verfication does not work. Does anybody know the resolution - if there is one.

The configuration is:

ip dhcp snooping vlan 7

no ip dhcp snooping information option

ip dhcp snooping

interface GigabitEthernet0/33

switchport access vlan 7

switchport mode access

spanning-tree portfast

ip verify source port-security

and the debugs are:

Switch#

00:54:24: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/33 for pak. Was not set

00:54:24: DHCPSNOOP(hlfm_packet_filter_or_learn): Port security violation, intf Gi0/33, src MAC 0010.a4a4.3b30, vlan 7

00:54:24: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/33)

00:54:24: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi0/33, MAC da: ffff.ffff.ffff, MAC sa: 0010.a4a4.3b30, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0010.a4a4.3b30

00:54:24: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (7)

00:54:25: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/48 for pak. Was not set

00:54:25: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/48

00:54:25: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/48 for pak. Was not set

00:54:25: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/48)

00:54:25: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Gi0/48, MAC da: 0010.a4a4.3b30, MAC sa: 0040.ca98.8078, IP da: 10.148.198.91, IP sa: 10.148.198.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.148.198.91, DHCP siaddr: 10.148.198.1, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0010.a4a4.3b30

00:54:25: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 0010.a4a4.3b30

00:54:25: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.

00:54:28: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/33 for pak. Was not set

00:54:28: DHCPSNOOP(hlfm_packet_filter_or_learn): Port security violation, intf Gi0/33, src MAC 0010.a4a4.3b30, vlan 7

best regards,

Herbert

ssoberlik · ‎06-07-2007

When IP source guard is enabled in IP and MAC filtering mode, the DHCP snooping option 82 must be enabled to ensure that the DHCP protocol works properly.If IP source guard and port security are both enabled on a port, and the port is flooded with a large number of unknown MAC addresses, the CPU utilization becomes very high.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dhcp.html

herbert.aichhorn · ‎06-11-2007

On Catalyst 3560 DHCP Snooping with MAC Verification never works with DHCP snooping option 82 enabled or not. It simply does not work.

costin.alupului · ‎01-14-2008

Hello,

As far as I understand, you have to enable option 82 insertion and port security, othwerwise you can't use IP source guard with source IP and MAC. Here is what they say:

"When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and

port security must be enabled on the interface. You must also enter the ip dhcp snooping

information option global configuration command and ensure that the DHCP server supports

option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC

address is not learned until the host is granted a lease. When forwarding packets from the server to

the host, DHCP snooping uses the option-82 data to identify the host port."

I can tell you for sure that without activating port security IP source guard with IP and MAC filtering will not work. Not so sure about option 82, but I take their word for it.

It worked for me, just that now I have a performance problem...

Regards,

Costin Alupului