Source guard not blocking spoofed MAC

Sopra Steria · ‎02-24-2022

Hello team, hope all is great.

We're implementing some security hardening on our environment and Im having trouble getting ip arp inspection and ip source guard to work. We have enabled ip dchp snooping and ip arp inspection, and when we spoof IP the port properly drops the traffic, when we spoof the MAC it doesnt.
On this site we're protecting vlan 625 (client) & vlan 627 (printers). This is our configuration right now:

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960S-48FPD-L 12.2(55)SE10 C2960S-UNIVERSALK9-M

#do sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
625,627
DHCP snooping is operational on following VLANs:
625,627
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: a40c.c351.eb00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/0/4 no no 100
Custom circuit-ids:
TenGigabitEthernet1/0/1 yes yes unlimited
Custom circuit-ids:
TenGigabitEthernet1/0/2 yes yes unlimited
Custom circuit-ids:
GigabitEthernet2/0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet3/0/1 no no 15
Custom circuit-ids:
GigabitEthernet3/0/36 yes yes unlimited
Custom circuit-ids:
GigabitEthernet4/0/44 no no 100
Custom circuit-ids:
Port-channel1 yes yes unlimited

#sh ip arp inspection

Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
625 Enabled Active
627 Enabled Active

Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
625 Deny Deny Off
627 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
625 556545 562741 562741 0
627 36745 17443 17443 0

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
625 70105 0 2943 0
627 27 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
625 0 0 0
627 0 0 0

On port gi1/0/4 we have a printer:

sh run int gi1/0/4
Building configuration...

Current configuration : 864 bytes
!
interface GigabitEthernet1/0/4
description skriver 1.etg resepsjon
switchport access vlan 627
switchport mode access
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
authentication event fail action next-method
authentication event server dead action reinitialize vlan 60
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip verify source port-security
ip dhcp snooping limit rate 100
end

that has a static IP and has been manually added to binding table:

9C:32:CE:09:9E:53 10.30.219.5 infinite dhcp-snooping 627 GigabitEthernet1/0/4

On gi470/44 we have a testing laptop

sh run int gi4/0/44
Building configuration...

Current configuration : 863 bytes
!
interface GigabitEthernet4/0/44
description *** Standard port ***
switchport access vlan 625
switchport mode access
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
authentication event fail action next-method
authentication event server dead action reinitialize vlan 60
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip verify source port-security
ip dhcp snooping limit rate 100
end

when we spoof the printer's MACon the laptop, source guard seems to be totally fine with it:

sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi1/0/4 ip-mac active 10.30.219.5 9C:32:CE:09:9E:53 627
Gi4/0/44 ip-mac active 10.30.216.103 9C:32:CE:09:9E:53 625

We tried renewing the dhcp lease, shutting the interface and removing the laptop from the dhcp lease on the server.

Is there anything on the configuration that im not seeing? Am I hitting a bug?

Flavio Miranda · ‎02-24-2022

Hi

#sh ip arp inspection

Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Try to enable the Validade option:

ip arp inspection validate { [ src-mac ] [ dst-mac ] [ ip ]}

paul driver · ‎02-24-2022

Hello

What software image are you running, IPSG in the past required enhanced multilayer images (EMI)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sopra Steria · ‎03-02-2022

Today we tested "validate src". I see the arp inspecton logs being populated by devices other than the test laptop that is spoofing the MAC

#ip arp inspection validate src-mac

sh ip arp inspection int

Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/0/4 Untrusted 100 1 (printer)

Gi4/0/44 Untrusted 100 1 (laptop spoofing printer)

#sh ip arp insp

Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
625 Enabled Active
627 Enabled Active

Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
625 Deny Deny Off
627 Deny Deny Off

Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
625 609107 752615 752615 0
627 42457 18850 18850 0

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
625 71682 0 3000 0
627 134 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
625 0 0 0

#sh port-security int gi4/0/44
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 11
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 9c32.ce09.9e53:625
Security Violation Count : 0

int gi4/0/44 status

Port Name Status Vlan Duplex Speed Type
Gi4/0/44 *** Standard port connected 625 a-full a-1000 10/100/1000BaseTX
#sh run int gi4/0/44
Building configuration...

Current configuration : 863 bytes
!
interface GigabitEthernet4/0/44
description *** Standard port ***
switchport access vlan 625
switchport mode access
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
authentication event fail action next-method
authentication event server dead action reinitialize vlan 60
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip verify source port-security
ip dhcp snooping limit rate 100

ip verify source port-security
end

#sh ip arp inspection log
Total Log Buffer Size : 1024
Syslog rate : 1024 entries per 10 seconds.

Interface Vlan Sender MAC Sender IP Num Pkts Reason Time
---------- ---- -------------- --------------- --------- ------------ ----
Gi3/0/12 625 6c4b.9024.e3b7 10.30.216.125 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022
Gi3/0/37 625 0023.24b0.8b08 10.30.216.113 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022
Gi3/0/19 625 6c4b.901d.6d86 10.30.216.129 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022
Gi4/0/1 625 6c4b.901d.84a9 10.30.216.117 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022
Gi4/0/1 625 6c4b.9023.c37f 10.30.216.242 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022
Gi4/0/1 625 0023.24da.bf2e 10.30.216.55 1 DHCP Deny 14:54:47 CET Wed Mar 2 2022

#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
9C:32:CE:09:9E:53 10.30.216.132 86305 dhcp-snooping 625 GigabitEthernet4/0/44
9C:32:CE:09:9E:53 10.30.219.5 infinite dhcp-snooping 627 GigabitEthernet1/0/4

@paul driver we're running 12.2(55)SE10 C2960S-UNIVERSALK9-M