Let's say there is a client router connected on switch port G1/0/6. But command on switch "show mac address table int G1/0/6" shows nothing. Also command "sh ip dhcp snooping binding int G1/0/6" also shows nothing. So i do not see routers mac or ip adress on that port. Then i run the command "no ip verify source port-security" and i see routers mac with "sh mac address table" command but do not see routers ip with "dhcp snooping".
Then in the loggs appears folowing lines:
Aug 1 07:08:18.434 EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi1/0/6
It seems like router got private ip address from rogue dhcp which is on the same vlan.
The question then is why "ip dhcp snooping binding" doesn't show this private ip address 192.168.0.100.
Because it is not in the dhcp snooping database switch doesn't accept packets from this router (because of ip verify source port-security command) and that's why routers mac address isn't also in mac adddress table before i used command "no ip verify source port-security". Am i right?
Well your theory seems to be right. The IP address wont show up in binding table as it got IP address from rouge DHCP server, but why or how it got IP address from rouge machine while DHCP Snooping running for that vlan.
well, this switch is cisco but uplink switch has also connections to non cisco switches which doesn't support DHCP snooping. That is how client's router got ip from rogue dhcp server connected to non cisco switch. So the question is then why dhcp snooping binding doesn't show snooping with private ip address 192.168.0.1 on port connected to router.
yes, i gues it came from incorectly connected client's router which is connected to switch which doesn't support dhcp snooping. what did you meant by saying "As switch running DHCP Snooping never saw DORA packets responsible for obtaining IP address dynamically."
DHCP Snooping binding table is created by actively monitoring server packets namely OFFER and ACK packets of DORA (Discover, Offer, Request, Ack) process. So switch running snooping never saw the OFFER and ACK packets never traversed through this switch for router IP address, hence no entry in the binding table.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...