Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3299
Views
0
Helpful
3
Replies

IP Verify Source - Phones stop working

Go to solution
douglas.mckee
Level 1
Level 1

‎03-25-2021 08:55 AM

Good Morning,

 

We are running "IP DHCP Snooping" on our 3650 (16.12.3a)  switches.  On 75% of these switches on average the "ip verify source" command works fine when implemented but on 25% of these 3650 switches the end users are unable to make calls on their IP phones after implementing the "ip verify source" command.

 

The interfaces are up/up but their mac addresses never show up in the "sh  ip dhcp snooping binding" database. I've made comparisons between working/non working switches after implementing "ip verify source" command but both are nearly identical with the exception of old config info. See below.

 

Knowns:

1. sh ip dhcp snooping binding (shows MAC addresses for data vlans)

2. Mix of 8845’s, 8831’s and 6921 phones

3. 3650's  are using same 16.12.3a  IOS XE software

4. After applying "ip verify source" phones stop working on 25% of switches applied

5. Running 802.1x on all switches

6. Data Vlans still show up in "sh ip dhcp snooping binding" database but Voice Vlans MAC's do not

7. Log files on switch shows some DOT1x authentication failures 

8. ISE/TACACS configurations on switches are identical

 

ip dhcp snooping
ip dhcp snooping vlan 100-999
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcpsnoop
!
interface GigabitEthernet1/0/1
ip dhcp snooping trust

 

Thank you,

Doug

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
douglas.mckee
Level 1
Level 1
In response to douglas.mckee

‎04-06-2021 09:31 AM

Below are the troubleshooting steps I took to fix the “ip verify source” causing our IP phones to drop.

 

  1. Sh auth session (Verify which ports are authorized)
  2. Sh ip dhcp snooping binding (Show which Vlans are in the database)
  3. Extended the ip dhcp snooping vlans to 100-999 (Vlan 330 (Voice) was still not populating in binding database)
  4. Clear auth session (This still did not add Vlan 330 to the binding database – possible software bug?)
  5. Shut/no shut a voice port (Vlan 330 showed up in the binding database)
  6. Currently testing switch to see how long it takes for the MACS to populate into the dhcp snooping database
  7. After the MAC’s are populated I will apply the “ip verify source” to these host ports and shouldn’t have any issues

***Bottom line is make sure all your Vlans covered under dhcp snooping are showing up in the dhcp  snooping binding database before applying the "ip verify source" command to host ports***

 

Doug

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul driver
VIP
VIP

‎03-25-2021 11:42 PM

Hello

@douglas.mckee wrote:

 

The interfaces are up/up but their mac addresses never show up in the "sh  ip dhcp snooping binding" database. I've made comparisons between working/non working switches after implementing "ip verify source" command but both are nearly identical with the exception of old config info. See below.

 

Knowns:

1. sh ip dhcp snooping binding (shows MAC addresses for data vlans)

4. After applying "ip verify source" phones stop working on 25% of switches applied

6. Data Vlans still show up in "sh ip dhcp snooping binding" database but Voice Vlans MAC's do not

Hello
What you don't mention is if you have IPSG verifying on the ip address and mac or just on ip address, if the latter then IPSG doesn't verify mac- address.

 

So it if the dhcp snoop binding entry relates to a different ip address than that of the host has received then connection will be denied, Also if no dhcp binding entry exists for that host ( unless statically defined), That's why its good to run dhcp snooping prior to enabling ISPG.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
douglas.mckee
Level 1
Level 1
In response to paul driver

‎03-29-2021 08:14 AM

Good Morning,

 

We have "IP DHCP snooping" running on all our access switches throughout our network and are just now adding "ip source guard". Currently we have about 18 switches running "ip source guard" without any issues. I was looking around after posting and realized that "ip source guard" only references the mac addresses in the "ip dhcp snooping database" as you mentioned.

 

I just had an epiphany when you mentioned running "ip dhcp snooping" before "ip source guard". We have been expanding our included Vlans in "ip dhcp snooping" but the mac addresses do not refresh for about 8 days. So sounds like if we are expanding the vlans that are included in "ip dhcp snooping" (AKA Voip as well) we should wait until the "mac addresses" have populated in the "ip dhcp snooping database on the voice side before applying the "ip source guard" command. Also, we could probably just bounce the ports to have them added to the "ip dhcp snooping database".

 

Appreciate all your help,

 

Please let me know if this sounds feasible.

 

Thank you,

 

Doug

 

 

 

 

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host

0 Helpful

Go to solution
douglas.mckee
Level 1
Level 1
In response to douglas.mckee

‎04-06-2021 09:31 AM

Below are the troubleshooting steps I took to fix the “ip verify source” causing our IP phones to drop.

 

  1. Sh auth session (Verify which ports are authorized)
  2. Sh ip dhcp snooping binding (Show which Vlans are in the database)
  3. Extended the ip dhcp snooping vlans to 100-999 (Vlan 330 (Voice) was still not populating in binding database)
  4. Clear auth session (This still did not add Vlan 330 to the binding database – possible software bug?)
  5. Shut/no shut a voice port (Vlan 330 showed up in the binding database)
  6. Currently testing switch to see how long it takes for the MACS to populate into the dhcp snooping database
  7. After the MAC’s are populated I will apply the “ip verify source” to these host ports and shouldn’t have any issues

***Bottom line is make sure all your Vlans covered under dhcp snooping are showing up in the dhcp  snooping binding database before applying the "ip verify source" command to host ports***

 

Doug

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card