I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.
I've configured port-security, DHCP Snooping and DAI and they all work as expected.
However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!
One thing to note is that the DHCP server is on the switch itself and not on a port.
Does anyone know if this is the correct behaviour???
Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)
I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...