Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
1
Helpful
12
Replies

IP Source Guard

Go to solution
parthrawat979
Level 1
Level 1

‎01-19-2026 05:26 AM

So, I am having some issue with configuring ip source guard. Here is the configuration results on SW:
Switch(config-if)#do sh ip ver so
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/1 ip inactive-no-snooping-vlan
Et0/2 ip-mac active 10.1.1.5 00:50:79:66:68:07 1
Et0/3 ip-mac active 10.1.1.4 00:50:79:66:68:0B 1


Switch(config-if)#do sh ip dhcp sn bi
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:50:79:66:68:07 10.1.1.5 86120 dhcp-snooping 1 Ethernet0/2
00:50:79:66:68:0B 10.1.1.4 86118 dhcp-snooping 1 Ethernet0/3
Total number of bindings: 2

Now the issue here is why I am unable to ping 10.1.1.4 from 10.1.1.5 or I can't even reach the ip of dhcp server(10.1.1.1) what could be possible wrong here??

Labels:
Preview file
41 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to parthrawat979

‎01-19-2026 06:44 AM - edited ‎01-19-2026 06:59 AM

So, IOL limitation ...  IOL is a sofware-emulated switch...Hardware forwarding features are not fully implemented and packet handling is simplified in software too !

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
M02@rt37
VIP
VIP

‎01-19-2026 05:46 AM

Hello @parthrawat979 

The port facing the DHCP server in trust mode ? Could you please share the port configuration ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
parthrawat979
Level 1
Level 1
In response to M02@rt37

‎01-19-2026 05:48 AM

Yeah, it's on trust mode for sure.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-19-2026 05:51 AM

What switch image are you using in this lab? Do you know if we can see the interface configuration or the total show run config?

Is this your question about IP source Guard (enabled?), or are you not able to reach each other in general?

Where is your Layer 3 Gateway for this IP address? Is this switch just Layer 2 or Layer 3?

Some of the virtual images have a CEF issue, so no IP CEF on the Switch and test it.

old document but still good for understanding source guard:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_58_se/configuration/guide/2960scg/swdhcp82.html

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
parthrawat979
Level 1
Level 1
In response to balaji.bandi

‎01-19-2026 06:03 AM

Some iol switch for the lab. The question is I can't ping the pcs with each other.

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to parthrawat979

‎01-19-2026 06:11 AM

@parthrawat979 

please share interface ETh0/2 and 0/3 configuration.

Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
parthrawat979
Level 1
Level 1
In response to M02@rt37

‎01-19-2026 06:14 AM

interface Ethernet0/0
ip dhcp snooping trust

interface Ethernet0/2
switchport mode access
ip verify source
!
interface Ethernet0/3
switchport mode access
ip verify source
!

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to parthrawat979

‎01-19-2026 06:28 AM

Please try with no ip source verify command under eth0/2 and 0/3...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
parthrawat979
Level 1
Level 1
In response to M02@rt37

‎01-19-2026 06:39 AM

Then they're pinging.

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to parthrawat979

‎01-19-2026 06:44 AM - edited ‎01-19-2026 06:59 AM

So, IOL limitation ...  IOL is a sofware-emulated switch...Hardware forwarding features are not fully implemented and packet handling is simplified in software too !

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
parthrawat979
Level 1
Level 1
In response to M02@rt37

‎01-19-2026 10:13 PM

Yeah, it's just iol limitation. I tried it on c3750 and it worked just fine.

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to parthrawat979

‎01-19-2026 08:15 AM - edited ‎01-20-2026 12:20 AM

Hi,

  @parthrawat979 Try following options:

1. configure static bindings via ip source binding command, not relying on DHCP snooping database, see if it works

2. remove the above, leave the IPSG database to be populated via DHCP, and at interface level, namely ports 0/2 and 0/3, enable ip device tracking via command ip device tracking maximum X, make X to be minimum 2 to avoid weird scenarios; see if it works

3. configure static bindings via ip source binding command, not relying on DHCP snooping database, and enable ip device tracking via command ip device tracking maximum X  on ports 0/2 and 0/3; see if it works

With device tracking enabled, you should get it working.

Thanks,

Cristian.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to parthrawat979

‎01-19-2026 09:16 AM 

Where is your Layer 3 Gateway for this IP address? Is this switch just Layer 2 or Layer 3?

Some of the virtual images have a CEF issue, so no IP CEF on the Switch and test it.

do you have answer for these ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents