11-03-2010 12:13 PM - edited 03-06-2019 01:52 PM
Hi,
No idea why but if I have the " ip verify source port-security " enable, I can't get an Ip address. Is there any special configuration missing, is there any global config for that ?? I think something goes wrong here.
If I put my computer on a port that don't have " ip verify source port-security " I get the IP address, as soon as I get my computer in a port that have " ip verify source port-security " nothing....
IOS : c3560-ipbasek9-mz.122-53.SE2.bin
Thanks
interface FastEthernet0/43
switchport access vlan 107
switchport mode access
switchport voice vlan 187
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source port-security
ip dhcp snooping limit rate 10
Trunk that goest to Core switch where dhcp is :
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point
ip dhcp snooping trust
Solved! Go to Solution.
11-03-2010 12:50 PM
Typically you would just want this configuration at your access layer.
You can deploy it elsewhere, however it becomes complicated with which
ports to trust etc.
11-03-2010 12:36 PM
Does your DHCP server support option-82? If I recall correctly for IP source guard and Port security to work together the server needs to support option 82.
11-03-2010 12:39 PM
I think it wasn't working because this configuration was missing :
conf t
ip dhcp snooping
ip dhcp snooping vlan x,y,z
ip dhcp snooping information option.
11-03-2010 12:41 PM
Ahhh yes, that could explain it.
11-03-2010 12:47 PM
Do you know if I need to do that config only at the access layer or at the distribution layer also ?
11-03-2010 12:50 PM
Typically you would just want this configuration at your access layer.
You can deploy it elsewhere, however it becomes complicated with which
ports to trust etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide