cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
5
Helpful
9
Replies
Rosseti
Beginner

Problem with Port Security and DHCP Snooping.

Hello, we have the following problem, when the IP source Guard and DHCP Snooping enabled, when the host is inactive and the record in the snooping table expires, the host cannot access the network when it is active again, while the record is still working.

Switch Ports Model                     SW Version            SW Image                 
------ ----- -----                     ----------            ----------               
*    1 10    WS-C2960C-8TC-L           15.2(7)E5             C2960c405-UNIVERSALK9-M  

 

 

Debug:

Spoiler
(config)#int fa0/2
(config-if)#no shut
(config-if)#
009270: Dec  1 09:44:00 BRN: DHCP_SNOOPING: checking expired snoop binding entries^Z
009272: Dec  1 09:44:03 BRN: PSECURE: psecure_linkchange: Fa0/2  hwidb=0x49115A8
009273: Dec  1 09:44:03 BRN: PSECURE: Link is coming up
009274: Dec  1 09:44:03 BRN: PSECURE: psecure_linkup_init: Fa0/2 hwidb = 0x49115A8
009275: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_linkup port Fa0/2, vlan 1, mode access
009276: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_linkup set psec ask handler on interface Fa0/2
009277: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Activating port-security feature
009278: Dec  1 09:44:03 BRN: PSECURE: port_activate: status is 1
009279: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: set psec ask handler on interface Fa0/2
009280: Dec  1 09:44:03 BRN: PSECURE: psecure_clear_ha_table: called
009281: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables.
009282: Dec  1 09:44:03 BRN: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1
009283: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_list_fwdchange invoked
009285: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak.  Was Vl1
009286: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_packet_hat_mat_filtering) port security is enabled on FastEthernet0/2
009287: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = IP
009288: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009289: Dec  1 09:44:03 BRN: PSECURE: Read:535, Write:536
009290: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009291: Dec  1 09:44:03 BRN: PSECURE: Packet is handled by some other feature so that address will not be added to port-security sub block
009292: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl1
009293: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/1
009294: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl1
009295: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak
009296: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009297: Dec  1 09:44:03 BRN: PSECURE: Read:536, Write:537
009298: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009299: Dec  1 09:44:03 BRN: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
009300: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = ARP
009301: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009302: Dec  1 09:44:03 BRN: PSECURE: Read:537, Write:538
009303: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009304: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak
009305: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1

in the debug, you can see that the packet is intercepted by something and most likely this does not work, how to understand what exactly? Or maybe I initially did not set up the mechanisms correctly?

Config:

 

Spoiler
ip arp inspection vlan 1
ip arp inspection vlan 1 logging arp-probe
ip arp inspection validate src-mac dst-mac ip 
ip arp inspection log-buffer entries 64
ip arp inspection log-buffer logs 128 interval 600
ip arp inspection filter SARPInspectFilter vlan  1
!
ip dhcp snooping vlan 1
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id hostname
no ip dhcp snooping information option
no ip dhcp snooping verify mac-address
no ip dhcp snooping verify no-relay-agent-address
ip dhcp snooping 
!
interface FastEthernet0/2
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100 burst interval 3
storm-control broadcast level pps 1k
storm-control multicast level pps 1k
storm-control action trap
spanning-tree bpduguard enable
ip verify source port-security

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.

View solution in original post

9 REPLIES 9
MHM Cisco World
Collaborator

what is the lease time for mac address/IP when it active ?
show ip dhcp snooping binding 

Lease time 3600

paul driver
VIP Mentor

Hello

What arp inspection filters are you applying, also your port sec aging look a bit to aggressive (2 mins)

 

sh ip arp inspection interfaces
sh ip arp inspection vlan 1
sh ip arp inspection statistics

sh port-security
sh port-security interface x/x

sh ip source binding vlan 1
sh ip dhcp snooping binding vlan 1
sh ip dhcp snooping database



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hi, 

Filter for static host

arp access-list SARPInspectFilter
 permit ip host 172.26.64.125 mac host b827.eb6d.3298

sh ip arp inspection interfaces

Spoiler

 

sh ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Fa0/1            Untrusted              100                 3
 Fa0/2            Untrusted              100                 3
 Fa0/3            Untrusted              100                 3
 Fa0/4            Untrusted              100                 3
 Fa0/5            Untrusted              100                 3
 Fa0/6            Untrusted              100                 3
 Fa0/7            Untrusted              100                 3
 Fa0/8            Untrusted              100                 3
 Gi0/1            Trusted               None               N/A
 Gi0/2            Untrusted               15                 1

  

sh ip arp inspection vlan 1

Spoiler

  

sh ip arp inspection vlan 1

Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    1     Enabled          Active      SARPInspectFilte   No 

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    1     Deny             Deny              Permit       

 

sh ip arp inspection statistics

Spoiler

  

sh ip arp inspection statistics

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    1         294364            174            119              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
    1           5295            299              6                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    1                   0                       55                       0

 

sh port-security

Spoiler

  

sh port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              2            1                  0         Restrict
      Fa0/2              2            1                  0         Restrict
      Fa0/3              2            1                  0         Restrict
      Fa0/4              2            0                  0         Restrict
      Fa0/5              2            0                  0         Restrict
      Fa0/6              2            0                  0         Restrict
      Fa0/7              2            0                  0         Restrict
      Fa0/8              2            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 8192

sh port-security interface x/x

Spoiler
sh port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : b827.eb6d.3298:1
Security Violation Count   : 0

sh port-security interface fa0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 50e5.4942.fe2f:1
Security Violation Count   : 0

sh port-security interface fa0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sh ip source binding vlan 1

Spoiler
sh ip source binding vlan 1
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
B8:27:EB:6D:32:98 172.26.64.125 infinite static 1 FastEthernet0/1
50:E5:49:42:FE:2F 172.26.64.89 2019 dhcp-snooping 1 FastEthernet0/2
B4:B5:2F:B2:48:8E 172.26.64.86 3408 dhcp-snooping 1 FastEthernet0/3
Total number of bindings: 3

sh ip dhcp snooping binding vlan 1

Spoiler
sh ip dhcp snooping binding vlan 1
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
50:E5:49:42:FE:2F   172.26.64.89     1983        dhcp-snooping   1     FastEthernet0/2
B4:B5:2F:B2:48:8E   172.26.64.86     3372        dhcp-snooping   1     FastEthernet0/3
Total number of bindings: 2

sh ip dhcp snooping database

Spoiler
sh ip dhcp snooping database
Agent URL : scp://SecretLogin:SecretPassword@SecretIP/Secrethostname.snoop
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : 41 (00:00:41)
Abort Timer Expiry : Not Running

Last Succeded Time : 09:38:40 BRN Mon Dec 6 2021
Last Failed Time : 15:53:51 BRN Thu Dec 2 2021
Last Failed Reason : Error writing to remote database.

Total Attempts       :       94   Startup Failures :        0
Successful Transfers :       77   Failed Transfers :       17
Successful Reads     :        1   Failed Reads     :        0
Successful Writes    :       76   Failed Writes    :       17
Media Failures       :       17
 

Now IP Source Guard Disabled on interface Fa0/2, 

 

On port Fa0/3 enabled switchport port-security mac-address sticky, and with this configuration, more or less everything works, but we would like to use only dynamics.

 

 

Hello

 


@Rosseti wrote:

ip arp inspection filter SARPInspectFilter vlan 1


The reason why this wasnt working would suggest its due to the static DAI acl applied for the the vlan, this acl would be read before any dhcp snooping D/B 

If you remove that dai acl and the port-security sticky then let the hosts otain dhcp again does it work?
conf t
no ip arp inspection filter SARPInspectFilter vlan 1
no switchport port-security sticky interface x/x



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.

Hello


@Rosseti wrote:

I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.


Remove the static mac entry and the clear the dhcp snooping table of those entries, then let those hosts obtain dhcp, When they are registered in the snooping table they should be allowed to communicate once more:

clear ip dhcp snooping binding <ip addrerss> <max addreess> vlan 1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.

View solution in original post

MHM Cisco World
Collaborator

the reason is the IP source guard have two inspection 
one is the IP only and this can check the DHCP snooping by 
other is check IP address with MAC address IP from DHCP snooping and MAC from port-security. 
so in your case the IP to MAC address is not right and hence the packet is drop. 
solution try use ip verify with dhcp snooping only and see result. 

ip verify source [vlan {dhcp-snooping | vlan-list}] [port-security]