is DHCP snooping Needed for Port Sec to work?

blackhat2020 · ‎10-09-2012

Hi, i have a strange problem in my campus network.im trying to run port security on my access switches which they are 3550 with ios

c3550-ipservicesk9-mz.122-52.SE when i run the port security with Sticky option, even i put 1000 mac address for just learning on the port but when i issue the switchport port-security command every pc connected to that port loses its connection with network UNTIL i enable dhcp snooping!!! all my client are getting they ip address from DHCP server but strange thing is that how on earth i have to enable DHCP snooping to port security work properly? also when i check the configuration under the interface when dhcp snooping is not yet enabled switch doesnt add any mac address under the interface so no one can work until i enable snooping and then switch adds mac addresses under the interface configuration.is this Bug on this version of IOS???? please help me i dont know what is wrong.... thanks in advance

this is configuration of a port that my clients are attached to:

interface FastEthernet0/24

switchport access vlan 2

switchport mode access

switchport port-security maximum 1000

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

spanning-tree portfast

__________________________________________________________

nawas · ‎10-09-2012

I don't think you need to enable dhcp snooping for port-security to work. I have switches where I only have port-security enabled and work just fine. what is the error log show when pcs loose connectivity? And I assume ports with port-security enabled have only PCs/phone connected to it?

cadet alain · ‎10-09-2012

Hi,

so you mean that with port-security config alone the port is errdisabled?

Can you do a sh int f0/24 status in this case.

Is this an access switch and in this case how can you get 1000 hosts attached , it's not possible.

Have you tried with setting maximum to 10 ?

also post your sh port-security output

Regards.

Alain

Don't forget to rate helpful posts.

blackhat2020 · ‎10-09-2012

Hi, thank you guys for your reply's, i have to mention that fast 0/24 connects to 20 to 30 pc and i just put 1000 mac address in the configuration just for testing even i know there is not that much users on that port. about show port-security output i have to say when my PC's are disconnected because of enabling the port sec i checked the out put and switch shows nothnig violated and shows that every thing is ok(port sec status). i have to mention that the even i have configured 1000 mac, port security cant see any mac address from users to put under the port 0/24 when DHCP snooping is disabled BUT when i enable DHCP snooping then my port sec works and switch puts learned mac address's under the port 0/24... i think problem is Switch cant learn mac addresses to put them in port sec learned mac database because my dhcp snooping is not enabled!!!! i haven't seen this kind of problem in my entire life!! what do you suggest ?? thanks

cadet alain · ‎10-09-2012

Hi,

these 2 features are completely unrelated so I really don't see how DHCP snooping could have any effect on Port-security.

Have you searched in known bugs repository for the ios version/switch model ?

Regards.

Alain

Don't forget to rate helpful posts.