12-01-2021 07:51 PM
Hello, we have the following problem, when the IP source Guard and DHCP Snooping enabled, when the host is inactive and the record in the snooping table expires, the host cannot access the network when it is active again, while the record is still working.
Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 10 WS-C2960C-8TC-L 15.2(7)E5 C2960c405-UNIVERSALK9-M
Debug:
(config)#int fa0/2 (config-if)#no shut (config-if)# 009270: Dec 1 09:44:00 BRN: DHCP_SNOOPING: checking expired snoop binding entries^Z 009272: Dec 1 09:44:03 BRN: PSECURE: psecure_linkchange: Fa0/2 hwidb=0x49115A8 009273: Dec 1 09:44:03 BRN: PSECURE: Link is coming up 009274: Dec 1 09:44:03 BRN: PSECURE: psecure_linkup_init: Fa0/2 hwidb = 0x49115A8 009275: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_linkup port Fa0/2, vlan 1, mode access 009276: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_linkup set psec ask handler on interface Fa0/2 009277: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Activating port-security feature 009278: Dec 1 09:44:03 BRN: PSECURE: port_activate: status is 1 009279: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: set psec ask handler on interface Fa0/2 009280: Dec 1 09:44:03 BRN: PSECURE: psecure_clear_ha_table: called 009281: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables. 009282: Dec 1 09:44:03 BRN: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1 009283: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_list_fwdchange invoked 009285: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was Vl1 009286: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_packet_hat_mat_filtering) port security is enabled on FastEthernet0/2 009287: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = IP 009288: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009289: Dec 1 09:44:03 BRN: PSECURE: Read:535, Write:536 009290: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009291: Dec 1 09:44:03 BRN: PSECURE: Packet is handled by some other feature so that address will not be added to port-security sub block 009292: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak. Was Vl1 009293: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. Was Gi0/1 009294: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak. Was Vl1 009295: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak 009296: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009297: Dec 1 09:44:03 BRN: PSECURE: Read:536, Write:537 009298: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009299: Dec 1 09:44:03 BRN: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up 009300: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = ARP 009301: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009302: Dec 1 09:44:03 BRN: PSECURE: Read:537, Write:538 009303: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009304: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak 009305: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1
in the debug, you can see that the packet is intercepted by something and most likely this does not work, how to understand what exactly? Or maybe I initially did not set up the mechanisms correctly?
Config:
ip arp inspection vlan 1 ip arp inspection vlan 1 logging arp-probe ip arp inspection validate src-mac dst-mac ip ip arp inspection log-buffer entries 64 ip arp inspection log-buffer logs 128 interval 600 ip arp inspection filter SARPInspectFilter vlan 1 ! ip dhcp snooping vlan 1 ip dhcp snooping information option allow-untrusted ip dhcp snooping information option format remote-id hostname no ip dhcp snooping information option no ip dhcp snooping verify mac-address no ip dhcp snooping verify no-relay-agent-address ip dhcp snooping
!
interface FastEthernet0/2
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100 burst interval 3
storm-control broadcast level pps 1k
storm-control multicast level pps 1k
storm-control action trap
spanning-tree bpduguard enable
ip verify source port-security
Solved! Go to Solution.
12-07-2021 11:52 PM
Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.
12-02-2021 03:57 AM
what is the lease time for mac address/IP when it active ?
show ip dhcp snooping binding
12-05-2021 07:20 PM
Lease time 3600
12-02-2021 07:30 AM - edited 12-02-2021 07:46 AM
Hello
What arp inspection filters are you applying, also your port sec aging look a bit to aggressive (2 mins)
sh ip arp inspection interfaces
sh ip arp inspection vlan 1
sh ip arp inspection statistics
sh port-security
sh port-security interface x/x
sh ip source binding vlan 1
sh ip dhcp snooping binding vlan 1
sh ip dhcp snooping database
12-05-2021 07:20 PM - edited 12-05-2021 07:31 PM
Hi,
Filter for static host
arp access-list SARPInspectFilter
permit ip host 172.26.64.125 mac host b827.eb6d.3298
sh ip arp inspection interfaces
sh ip arp inspection interfaces Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Fa0/1 Untrusted 100 3 Fa0/2 Untrusted 100 3 Fa0/3 Untrusted 100 3 Fa0/4 Untrusted 100 3 Fa0/5 Untrusted 100 3 Fa0/6 Untrusted 100 3 Fa0/7 Untrusted 100 3 Fa0/8 Untrusted 100 3 Gi0/1 Trusted None N/A Gi0/2 Untrusted 15 1
sh ip arp inspection vlan 1
sh ip arp inspection vlan 1 Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 1 Enabled Active SARPInspectFilte No Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 1 Deny Deny Permit
sh ip arp inspection statistics
sh ip arp inspection statistics Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 1 294364 174 119 0 Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------ ----------- ------------- ------------------- 1 5295 299 6 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 1 0 55 0
sh port-security
sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 1 0 Restrict Fa0/2 2 1 0 Restrict Fa0/3 2 1 0 Restrict Fa0/4 2 0 0 Restrict Fa0/5 2 0 0 Restrict Fa0/6 2 0 0 Restrict Fa0/7 2 0 0 Restrict Fa0/8 2 0 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192
sh port-security interface x/x
sh port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : b827.eb6d.3298:1 Security Violation Count : 0 sh port-security interface fa0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 50e5.4942.fe2f:1 Security Violation Count : 0 sh port-security interface fa0/3 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0
sh ip source binding vlan 1
sh ip source binding vlan 1
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
B8:27:EB:6D:32:98 172.26.64.125 infinite static 1 FastEthernet0/1
50:E5:49:42:FE:2F 172.26.64.89 2019 dhcp-snooping 1 FastEthernet0/2
B4:B5:2F:B2:48:8E 172.26.64.86 3408 dhcp-snooping 1 FastEthernet0/3
Total number of bindings: 3
sh ip dhcp snooping binding vlan 1
sh ip dhcp snooping binding vlan 1 MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 50:E5:49:42:FE:2F 172.26.64.89 1983 dhcp-snooping 1 FastEthernet0/2 B4:B5:2F:B2:48:8E 172.26.64.86 3372 dhcp-snooping 1 FastEthernet0/3 Total number of bindings: 2
sh ip dhcp snooping database
sh ip dhcp snooping database Agent URL : scp://SecretLogin:SecretPassword@SecretIP/Secrethostname.snoop Write delay Timer : 300 seconds Abort Timer : 300 seconds Agent Running : No Delay Timer Expiry : 41 (00:00:41) Abort Timer Expiry : Not Running Last Succeded Time : 09:38:40 BRN Mon Dec 6 2021 Last Failed Time : 15:53:51 BRN Thu Dec 2 2021 Last Failed Reason : Error writing to remote database. Total Attempts : 94 Startup Failures : 0 Successful Transfers : 77 Failed Transfers : 17 Successful Reads : 1 Failed Reads : 0 Successful Writes : 76 Failed Writes : 17 Media Failures : 17
Now IP Source Guard Disabled on interface Fa0/2,
On port Fa0/3 enabled switchport port-security mac-address sticky, and with this configuration, more or less everything works, but we would like to use only dynamics.
12-05-2021 11:58 PM
Hello
@Rosseti wrote:
ip arp inspection filter SARPInspectFilter vlan 1
The reason why this wasnt working would suggest its due to the static DAI acl applied for the the vlan, this acl would be read before any dhcp snooping D/B
If you remove that dai acl and the port-security sticky then let the hosts otain dhcp again does it work?
conf t
no ip arp inspection filter SARPInspectFilter vlan 1
no switchport port-security sticky interface x/x
12-06-2021 06:31 PM
I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.
12-06-2021 10:23 PM
Hello
@Rosseti wrote:
I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.
Remove the static mac entry and the clear the dhcp snooping table of those entries, then let those hosts obtain dhcp, When they are registered in the snooping table they should be allowed to communicate once more:
clear ip dhcp snooping binding <ip addrerss> <max addreess> vlan 1
12-07-2021 11:52 PM
Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.
12-06-2021 01:36 PM
the reason is the IP source guard have two inspection
one is the IP only and this can check the DHCP snooping by
other is check IP address with MAC address IP from DHCP snooping and MAC from port-security.
so in your case the IP to MAC address is not right and hence the packet is drop.
solution try use ip verify with dhcp snooping only and see result.
ip verify source [vlan {dhcp-snooping | vlan-list}] [port-security]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide