Lack of "ip verify source" and "ip arp inspection" commands on WS-C2960X-48TS-LL

Jack K · ‎06-24-2021

Hi all

I need your help. I tried to search through the Internet but with no success. In our network we have one Cisco WS-C2960X-48TS-LL switch. However it's not possible to implement IP Source Guard and DAI because there is lack of "ip verify source" and "ip arp inspection" commands. IP DHCP Snooping works fine. On the switch is installed the latest and suggested IOS version 15.2.7E4.

Here is a bit of the config:

Switch#sh license
Index 1 Feature: lanbase
Period left: 0 minute 0 second
Index 2 Feature: lanlite
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted

Switch#sh ver
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(7)E4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Mon 08-Mar-21 11:26 by prod_rel_team

ROM: Bootstrap program is C2960X boot loader
BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(6r)E, RELEASE SOFTWARE (fc1)

TPA-WAW-SW4 uptime is 3 weeks, 4 days, 16 hours, 6 minutes
System returned to ROM by reload
System restarted at 18:36:09 CEST Sat May 29 2021
System image file is "flash:/c2960x-universalk9-mz.152-7.E4.bin"
Last reload reason: power-on

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960X-48TS-LL (APM86XXX) processor (revision H0) with 262144K bytes of memory.
Processor board ID FOC1910S6NG
Last reset from power-on
1 Virtual Ethernet interface
1 FastEthernet interface
50 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 40:A6:E8:DB:A1:80
Motherboard assembly number : 73-15974-02
Power supply part number : 341-0537-02
Motherboard serial number : FOC19103ACM
Power supply serial number : DCB1905833G
Model revision number : H0
Motherboard revision number : B0
Model number : WS-C2960X-48TS-LL
Daughterboard assembly number : 73-14200-03
Daughterboard serial number : FOC19105YH6
System serial number : FOC1910S6NG
Top Assembly Part Number : 800-41471-01
Top Assembly Revision Number : C0
Version ID : V03
CLEI Code Number : COMGK00ARG
Daughterboard revision number : A0
Hardware Board Revision Number : 0x12

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 50 WS-C2960X-48TS-LL 15.2(7)E4 C2960X-UNIVERSALK9-M

Configuration register is 0xF

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#ip arp ?
   gratuitous     Gratuitous ARP control
   poll           IP ARP polling for unnumbered interfaces
   proxy          Global proxy ARP configuration
   track          ARP Track configuration

Switch(config)#int gigabitEthernet 0/20
Switch(config-if)#ip ?
Interface IP configuration subcommands:
   access-group   Specify access control for packets
   admission      Apply Network Admission Control
   device         IP Device tracking
   dhcp           Configure DHCP parameters for this interface
   flow           NetFlow related commands
   igmp           IGMP interface commands

Switch(config)#ip dhcp snooping ?
   database       DHCP snooping database agent
   glean          DHCP read only snooping
   information    DHCP Snooping information
   verify         DHCP snooping verify
   vlan           DHCP Snooping vlan
   wireless       DHCP snooping wireless
<cr>

Switch(config)#

Is there any chance to implement IP Source Guard and DAI on that switch? I would be grateful for any suggestions

Best Regards,

Sam

marce1000 · ‎06-24-2021

- Ref : https://cfnng.cisco.com/browse/switching/features

Your particular model is not shown as supporting IP Source Guard, check attachment.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Jack K · ‎06-28-2021

@marce1000

Thank you for your quick reply. However this Cisco Feature Navigator is not reliable in my case, because as well it doesn't show other older switches as Catalyst 3560x which has all the mentioned features. It also doesn't show that WS-C2960X-48TS-LL has DHCP snooping, what works on it as shown in the given output. I think this feature shows only most recent network devices.

marce1000 · ‎06-28-2021

>..... I think this feature shows only most recent network devices

Acknowledging that and seen before , it would be more honest and functional for everybody if the feature navigator would include all devices for a particular features and not only new-models.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

shaikmohib · ‎06-28-2021

Hi Sam,

This looks like a limitation on the current platform, i have tested with 29xx devices in my environment. Although we dont use the source gaurd feature. It did not work on 29xx but was working on 3550 and above.

Searched for command ref for the code train you are running could find anything there as well.

Let us know if you find anything