Solved: Re: Problem with Port Security and DHCP Snooping.

Rosseti · ‎12-01-2021

Hello, we have the following problem, when the IP source Guard and DHCP Snooping enabled, when the host is inactive and the record in the snooping table expires, the host cannot access the network when it is active again, while the record is still working.

Switch Ports Model                     SW Version            SW Image                 
------ ----- -----                     ----------            ----------               
*    1 10    WS-C2960C-8TC-L           15.2(7)E5             C2960c405-UNIVERSALK9-M

Debug:

Spoiler

(config)#int fa0/2
(config-if)#no shut
(config-if)#
009270: Dec  1 09:44:00 BRN: DHCP_SNOOPING: checking expired snoop binding entries^Z
009272: Dec  1 09:44:03 BRN: PSECURE: psecure_linkchange: Fa0/2  hwidb=0x49115A8
009273: Dec  1 09:44:03 BRN: PSECURE: Link is coming up
009274: Dec  1 09:44:03 BRN: PSECURE: psecure_linkup_init: Fa0/2 hwidb = 0x49115A8
009275: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_linkup port Fa0/2, vlan 1, mode access
009276: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_linkup set psec ask handler on interface Fa0/2
009277: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Activating port-security feature
009278: Dec  1 09:44:03 BRN: PSECURE: port_activate: status is 1
009279: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: set psec ask handler on interface Fa0/2
009280: Dec  1 09:44:03 BRN: PSECURE: psecure_clear_ha_table: called
009281: Dec  1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables.
009282: Dec  1 09:44:03 BRN: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1
009283: Dec  1 09:44:03 BRN: PSECURE: psecure_vp_list_fwdchange invoked
009285: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak.  Was Vl1
009286: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_packet_hat_mat_filtering) port security is enabled on FastEthernet0/2
009287: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = IP
009288: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009289: Dec  1 09:44:03 BRN: PSECURE: Read:535, Write:536
009290: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009291: Dec  1 09:44:03 BRN: PSECURE: Packet is handled by some other feature so that address will not be added to port-security sub block
009292: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl1
009293: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/1
009294: Dec  1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl1
009295: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak
009296: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009297: Dec  1 09:44:03 BRN: PSECURE: Read:536, Write:537
009298: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009299: Dec  1 09:44:03 BRN: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
009300: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = ARP
009301: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1
009302: Dec  1 09:44:03 BRN: PSECURE: Read:537, Write:538
009303: Dec  1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1
009304: Dec  1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak
009305: Dec  1 09:44:03 BRN: PSECURE: mat_cookie=1

(config)#int fa0/2 (config-if)#no shut (config-if)# 009270: Dec 1 09:44:00 BRN: DHCP_SNOOPING: checking expired snoop binding entries^Z 009272: Dec 1 09:44:03 BRN: PSECURE: psecure_linkchange: Fa0/2 hwidb=0x49115A8 009273: Dec 1 09:44:03 BRN: PSECURE: Link is coming up 009274: Dec 1 09:44:03 BRN: PSECURE: psecure_linkup_init: Fa0/2 hwidb = 0x49115A8 009275: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_linkup port Fa0/2, vlan 1, mode access 009276: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_linkup set psec ask handler on interface Fa0/2 009277: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Activating port-security feature 009278: Dec 1 09:44:03 BRN: PSECURE: port_activate: status is 1 009279: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: set psec ask handler on interface Fa0/2 009280: Dec 1 09:44:03 BRN: PSECURE: psecure_clear_ha_table: called 009281: Dec 1 09:44:03 BRN: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables. 009282: Dec 1 09:44:03 BRN: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1 009283: Dec 1 09:44:03 BRN: PSECURE: psecure_vp_list_fwdchange invoked 009285: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was Vl1 009286: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_packet_hat_mat_filtering) port security is enabled on FastEthernet0/2 009287: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = IP 009288: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009289: Dec 1 09:44:03 BRN: PSECURE: Read:535, Write:536 009290: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009291: Dec 1 09:44:03 BRN: PSECURE: Packet is handled by some other feature so that address will not be added to port-security sub block 009292: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak. Was Vl1 009293: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. Was Gi0/1 009294: Dec 1 09:44:03 BRN: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak. Was Vl1 009295: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak 009296: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009297: Dec 1 09:44:03 BRN: PSECURE: Read:536, Write:537 009298: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009299: Dec 1 09:44:03 BRN: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up 009300: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = ARP 009301: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1 009302: Dec 1 09:44:03 BRN: PSECURE: Read:537, Write:538 009303: Dec 1 09:44:03 BRN: PSECURE: swidb = FastEthernet0/2 mac_addr = 50e5.4942.fe2f vlanid = 1 009304: Dec 1 09:44:03 BRN: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 50e5.4942.fe2f, swidb = Fa0/2, vlan = 1, linktype = NullPak 009305: Dec 1 09:44:03 BRN: PSECURE: mat_cookie=1

in the debug, you can see that the packet is intercepted by something and most likely this does not work, how to understand what exactly? Or maybe I initially did not set up the mechanisms correctly?

Config:

Spoiler

ip arp inspection vlan 1
ip arp inspection vlan 1 logging arp-probe
ip arp inspection validate src-mac dst-mac ip 
ip arp inspection log-buffer entries 64
ip arp inspection log-buffer logs 128 interval 600
ip arp inspection filter SARPInspectFilter vlan  1
!
ip dhcp snooping vlan 1
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id hostname
no ip dhcp snooping information option
no ip dhcp snooping verify mac-address
no ip dhcp snooping verify no-relay-agent-address
ip dhcp snooping 
!
interface FastEthernet0/2
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100 burst interval 3
storm-control broadcast level pps 1k
storm-control multicast level pps 1k
storm-control action trap
spanning-tree bpduguard enable
ip verify source port-security

ip arp inspection vlan 1 ip arp inspection vlan 1 logging arp-probe ip arp inspection validate src-mac dst-mac ip ip arp inspection log-buffer entries 64 ip arp inspection log-buffer logs 128 interval 600 ip arp inspection filter SARPInspectFilter vlan 1 ! ip dhcp snooping vlan 1 ip dhcp snooping information option allow-untrusted ip dhcp snooping information option format remote-id hostname no ip dhcp snooping information option no ip dhcp snooping verify mac-address no ip dhcp snooping verify no-relay-agent-address ip dhcp snooping !interface FastEthernet0/2switchport mode accessswitchport port-security maximum 2switchport port-security violation restrictswitchport port-security aging time 2switchport port-security aging type inactivityswitchport port-securityip arp inspection limit rate 100 burst interval 3storm-control broadcast level pps 1kstorm-control multicast level pps 1kstorm-control action trapspanning-tree bpduguard enableip verify source port-security

Rosseti · ‎12-07-2021

Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.

View solution in original post

MHM Cisco World · ‎12-02-2021

what is the lease time for mac address/IP when it active ?
show ip dhcp snooping binding

Rosseti · ‎12-05-2021

Lease time 3600

paul driver · ‎12-02-2021

Hello

What arp inspection filters are you applying, also your port sec aging look a bit to aggressive (2 mins)

sh ip arp inspection interfaces
sh ip arp inspection vlan 1
sh ip arp inspection statistics
sh port-security
sh port-security interface x/x
sh ip source binding vlan 1
sh ip dhcp snooping binding vlan 1
sh ip dhcp snooping database

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Rosseti · ‎12-05-2021

Hi,

Filter for static host

arp access-list SARPInspectFilter
 permit ip host 172.26.64.125 mac host b827.eb6d.3298

sh ip arp inspection interfaces

Spoiler

sh ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Fa0/1            Untrusted              100                 3
 Fa0/2            Untrusted              100                 3
 Fa0/3            Untrusted              100                 3
 Fa0/4            Untrusted              100                 3
 Fa0/5            Untrusted              100                 3
 Fa0/6            Untrusted              100                 3
 Fa0/7            Untrusted              100                 3
 Fa0/8            Untrusted              100                 3
 Gi0/1            Trusted               None               N/A
 Gi0/2            Untrusted               15                 1

sh ip arp inspection interfaces Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Fa0/1 Untrusted 100 3 Fa0/2 Untrusted 100 3 Fa0/3 Untrusted 100 3 Fa0/4 Untrusted 100 3 Fa0/5 Untrusted 100 3 Fa0/6 Untrusted 100 3 Fa0/7 Untrusted 100 3 Fa0/8 Untrusted 100 3 Gi0/1 Trusted None N/A Gi0/2 Untrusted 15 1

sh ip arp inspection vlan 1

Spoiler

sh ip arp inspection vlan 1

Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    1     Enabled          Active      SARPInspectFilte   No 

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    1     Deny             Deny              Permit

sh ip arp inspection vlan 1 Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 1 Enabled Active SARPInspectFilte No Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 1 Deny Deny Permit

sh ip arp inspection statistics

Spoiler

sh ip arp inspection statistics

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    1         294364            174            119              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
    1           5295            299              6                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    1                   0                       55                       0

sh ip arp inspection statistics Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 1 294364 174 119 0 Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------ ----------- ------------- ------------------- 1 5295 299 6 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 1 0 55 0

sh port-security

Spoiler

sh port-security 
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/1              2            1                  0         Restrict
      Fa0/2              2            1                  0         Restrict
      Fa0/3              2            1                  0         Restrict
      Fa0/4              2            0                  0         Restrict
      Fa0/5              2            0                  0         Restrict
      Fa0/6              2            0                  0         Restrict
      Fa0/7              2            0                  0         Restrict
      Fa0/8              2            0                  0         Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 8192

sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 1 0 Restrict Fa0/2 2 1 0 Restrict Fa0/3 2 1 0 Restrict Fa0/4 2 0 0 Restrict Fa0/5 2 0 0 Restrict Fa0/6 2 0 0 Restrict Fa0/7 2 0 0 Restrict Fa0/8 2 0 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 8192

sh port-security interface x/x

Spoiler

sh port-security interface fa0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : b827.eb6d.3298:1
Security Violation Count   : 0

sh port-security interface fa0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 50e5.4942.fe2f:1
Security Violation Count   : 0

sh port-security interface fa0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sh port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : b827.eb6d.3298:1 Security Violation Count : 0 sh port-security interface fa0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 50e5.4942.fe2f:1 Security Violation Count : 0 sh port-security interface fa0/3 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 2 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

sh ip source binding vlan 1

Spoiler

sh ip source binding vlan 1
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
B8:27:EB:6D:32:98 172.26.64.125 infinite static 1 FastEthernet0/1
50:E5:49:42:FE:2F 172.26.64.89 2019 dhcp-snooping 1 FastEthernet0/2
B4:B5:2F:B2:48:8E 172.26.64.86 3408 dhcp-snooping 1 FastEthernet0/3
Total number of bindings: 3

sh ip source binding vlan 1MacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------B8:27:EB:6D:32:98 172.26.64.125 infinite static 1 FastEthernet0/150:E5:49:42:FE:2F 172.26.64.89 2019 dhcp-snooping 1 FastEthernet0/2B4:B5:2F:B2:48:8E 172.26.64.86 3408 dhcp-snooping 1 FastEthernet0/3Total number of bindings: 3

sh ip dhcp snooping binding vlan 1

Spoiler

sh ip dhcp snooping binding vlan 1
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
50:E5:49:42:FE:2F   172.26.64.89     1983        dhcp-snooping   1     FastEthernet0/2
B4:B5:2F:B2:48:8E   172.26.64.86     3372        dhcp-snooping   1     FastEthernet0/3
Total number of bindings: 2

sh ip dhcp snooping binding vlan 1 MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 50:E5:49:42:FE:2F 172.26.64.89 1983 dhcp-snooping 1 FastEthernet0/2 B4:B5:2F:B2:48:8E 172.26.64.86 3372 dhcp-snooping 1 FastEthernet0/3 Total number of bindings: 2

sh ip dhcp snooping database

Spoiler

sh ip dhcp snooping database
Agent URL : scp://SecretLogin:SecretPassword@SecretIP/Secrethostname.snoop
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : 41 (00:00:41)
Abort Timer Expiry : Not Running

Last Succeded Time : 09:38:40 BRN Mon Dec 6 2021
Last Failed Time : 15:53:51 BRN Thu Dec 2 2021
Last Failed Reason : Error writing to remote database.

Total Attempts       :       94   Startup Failures :        0
Successful Transfers :       77   Failed Transfers :       17
Successful Reads     :        1   Failed Reads     :        0
Successful Writes    :       76   Failed Writes    :       17
Media Failures       :       17

sh ip dhcp snooping database Agent URL : scp://SecretLogin:SecretPassword@SecretIP/Secrethostname.snoop Write delay Timer : 300 seconds Abort Timer : 300 seconds Agent Running : No Delay Timer Expiry : 41 (00:00:41) Abort Timer Expiry : Not Running Last Succeded Time : 09:38:40 BRN Mon Dec 6 2021 Last Failed Time : 15:53:51 BRN Thu Dec 2 2021 Last Failed Reason : Error writing to remote database. Total Attempts : 94 Startup Failures : 0 Successful Transfers : 77 Failed Transfers : 17 Successful Reads : 1 Failed Reads : 0 Successful Writes : 76 Failed Writes : 17 Media Failures : 17

Now IP Source Guard Disabled on interface Fa0/2,

On port Fa0/3 enabled switchport port-security mac-address sticky, and with this configuration, more or less everything works, but we would like to use only dynamics.

paul driver · ‎12-05-2021

Hello

@Rosseti wrote:

ip arp inspection filter SARPInspectFilter vlan 1

The reason why this wasnt working would suggest its due to the static DAI acl applied for the the vlan, this acl would be read before any dhcp snooping D/B

If you remove that dai acl and the port-security sticky then let the hosts otain dhcp again does it work?
conf t
no ip arp inspection filter SARPInspectFilter vlan 1
no switchport port-security sticky interface x/x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Rosseti · ‎12-06-2021

I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.

paul driver · ‎12-06-2021

Hello

@Rosseti wrote:

I cannot remove the filter, since in addition to dynamic addresses we have static ones, they also need to be allowed.

Remove the static mac entry and the clear the dhcp snooping table of those entries, then let those hosts obtain dhcp, When they are registered in the snooping table they should be allowed to communicate once more:

clear ip dhcp snooping binding <ip addrerss> <max addreess> vlan 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Rosseti · ‎12-07-2021

Hi, I found a solution for myself, I did not say that there is a switch from another vendor (Nateks NX-3428) in the topology above, and the problem was that his agent sent all requests on his own behalf when snooping was running, i.e. changed the source address of the sender, so the root switch did not know where to send the response from the DHCP server and dropped them. Thus, without receiving a response from the DHCP server, snooping did not allow access hosts to the network. In total, we can summarize that the matter is not in CISCO.

MHM Cisco World · ‎12-06-2021

the reason is the IP source guard have two inspection
one is the IP only and this can check the DHCP snooping by
other is check IP address with MAC address IP from DHCP snooping and MAC from port-security.
so in your case the IP to MAC address is not right and hence the packet is drop.
solution try use ip verify with dhcp snooping only and see result.

ip verify source [vlan {dhcp-snooping | vlan-list}] [port-security]