03-25-2021 08:55 AM
Good Morning,
We are running "IP DHCP Snooping" on our 3650 (16.12.3a) switches. On 75% of these switches on average the "ip verify source" command works fine when implemented but on 25% of these 3650 switches the end users are unable to make calls on their IP phones after implementing the "ip verify source" command.
The interfaces are up/up but their mac addresses never show up in the "sh ip dhcp snooping binding" database. I've made comparisons between working/non working switches after implementing "ip verify source" command but both are nearly identical with the exception of old config info. See below.
Knowns:
1. sh ip dhcp snooping binding (shows MAC addresses for data vlans)
2. Mix of 8845’s, 8831’s and 6921 phones
3. 3650's are using same 16.12.3a IOS XE software
4. After applying "ip verify source" phones stop working on 25% of switches applied
5. Running 802.1x on all switches
6. Data Vlans still show up in "sh ip dhcp snooping binding" database but Voice Vlans MAC's do not
7. Log files on switch shows some DOT1x authentication failures
8. ISE/TACACS configurations on switches are identical
ip dhcp snooping
ip dhcp snooping vlan 100-999
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcpsnoop
!
interface GigabitEthernet1/0/1
ip dhcp snooping trust
Thank you,
Doug
Solved! Go to Solution.
04-06-2021 09:31 AM
Below are the troubleshooting steps I took to fix the “ip verify source” causing our IP phones to drop.
***Bottom line is make sure all your Vlans covered under dhcp snooping are showing up in the dhcp snooping binding database before applying the "ip verify source" command to host ports***
Doug
03-25-2021 11:42 PM
Hello
@douglas.mckee wrote:
The interfaces are up/up but their mac addresses never show up in the "sh ip dhcp snooping binding" database. I've made comparisons between working/non working switches after implementing "ip verify source" command but both are nearly identical with the exception of old config info. See below.
Knowns:
1. sh ip dhcp snooping binding (shows MAC addresses for data vlans)
4. After applying "ip verify source" phones stop working on 25% of switches applied
6. Data Vlans still show up in "sh ip dhcp snooping binding" database but Voice Vlans MAC's do not
Hello
What you don't mention is if you have IPSG verifying on the ip address and mac or just on ip address, if the latter then IPSG doesn't verify mac- address.
So it if the dhcp snoop binding entry relates to a different ip address than that of the host has received then connection will be denied, Also if no dhcp binding entry exists for that host ( unless statically defined), That's why its good to run dhcp snooping prior to enabling ISPG.
03-29-2021 08:14 AM
Good Morning,
We have "IP DHCP snooping" running on all our access switches throughout our network and are just now adding "ip source guard". Currently we have about 18 switches running "ip source guard" without any issues. I was looking around after posting and realized that "ip source guard" only references the mac addresses in the "ip dhcp snooping database" as you mentioned.
I just had an epiphany when you mentioned running "ip dhcp snooping" before "ip source guard". We have been expanding our included Vlans in "ip dhcp snooping" but the mac addresses do not refresh for about 8 days. So sounds like if we are expanding the vlans that are included in "ip dhcp snooping" (AKA Voip as well) we should wait until the "mac addresses" have populated in the "ip dhcp snooping database on the voice side before applying the "ip source guard" command. Also, we could probably just bounce the ports to have them added to the "ip dhcp snooping database".
Appreciate all your help,
Please let me know if this sounds feasible.
Thank you,
Doug
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host
04-06-2021 09:31 AM
Below are the troubleshooting steps I took to fix the “ip verify source” causing our IP phones to drop.
***Bottom line is make sure all your Vlans covered under dhcp snooping are showing up in the dhcp snooping binding database before applying the "ip verify source" command to host ports***
Doug
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide