IPSG for Static IP without Specifying an Interface

matthewb2023 · ‎02-01-2024

Hi All,

I'm really scratching my head on this one and was hoping someone might be able to help. I have a 2960X access stack running IOS 15.2(7)E9 with DHCP snooping enabled on all VLANs that use DHCP and device tracking enabled globally. All access interfaces are configured with the "ip verify source tracking" (I'm not entirely sure what the addition of "tracking" does to this command, as there's little documentation I can find on it, but my assumption is that it supplements the DHCP snooping table with the Device Tracking table for verifying IP addresses). Source guard works perfectly fine with my devices that utilize DHCP, but I'm having issues with devices that have a static IP. I know that adding a static binding with MAC, IP, and interface would remedy this, but I am also using dot1x assigned VLANs and I feel that this would defeat the whole purpose of the dynamically assigned vlans if I have to specify which interface a particular IP/MAC pair is connected to.

Does anyone know a way to do IPSG with static IP addressed devices WITHOUT specifying a static MAC/IP/Interface binding? Thanks!

MHM Cisco World · ‎02-01-2024

ip source binding mac-address vlan vlan-id ip-address interface interface-id <<- this must be add under interface

MHM

matthewb2023 · ‎02-02-2024

So, I know that this is one resolution. I am trying to find a way to do this without specifying an interface. Do you know a way in which you can implement source guard WITHOUT having to manually specify the interface?