cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
4
Replies

IP Source Guard dropping DHCP Offers

steve_mils
Level 1
Level 1

Hello,

I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.

I've configured port-security, DHCP Snooping and DAI and they all work as expected.

However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!

One thing to note is that the DHCP server is on the switch itself and not on a port.

Does anyone know if this is the correct behaviour???

Thanks.

4 Replies 4

Istvan_Rabai
Level 7
Level 7

Hi Steve,

I don't have experience with the situation where the DHCP server is on the same switch.

But the problem with the ip source guard probably can be solved with the following configuration:

conf t

ip dhcp snooping

ip dhcp snooping vlan x,y,z

ip dhcp snooping information option.

The DHCP offer is dropped because the switch does not know which port to forward the dhcp offer to.

Information option helps solve this problem.

Try this and please inform me if this is successful.

Thank you:

Istvan

Hi Istvan,

Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)

I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.

Here is the relevant config:

ip dhcp excluded-address 172.21.1.254

!

ip dhcp pool Users

network 172.21.1.0 255.255.255.0

default-router 172.21.1.254

lease 0 0 5

!

ip dhcp snooping vlan 2

ip dhcp snooping database tftp://172.21.1.250/test-sw-dhcpDB

ip dhcp snooping

ip arp inspection vlan 2

interface GigabitEthernet1/0/4

description Laptop

switchport access vlan 2

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source port-security

ip dhcp snooping limit rate 10

!

interface Vlan2

ip address 172.21.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.

Thanks, Steve

Thank you Steve,

I think this explains the abnormal behavior.

It is good you provided this info, because during the day I was thinking several times about this problem. Now, my mind will be freed from this :)

Cheers:

Istvan

Ha! I know that feeling very well. Issues like this one make me doubt my understanding. I automatically think I've configured things wrongly or not understood something when all along it's a bug!

Thanks, Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: