IP Source Guard is similar to Dynamic ARP Inspection in the way that it maps IP Addresses to certain criteria that must match or packets will be dropped, however this is configured solely on the interfaces and ties the IP Address of the device off that interface to its ip source verify table.
You can add additonal “switchport port-security mac sticky/hardcode” to add a layer of security by also forcing it to match not only the the IP to the interface but also to the MAC Address of the device on that interface.
Configuration is simple enough, but does require DHCP Snooping to be enabled on the switch:
SW1(config)#int ra fa1/0/1 – 4
SW1(config-if-range)#ip verify ?
source source address
SW1(config-if-range)#ip verify source ?
port-security port security
smartlog Smartlog denied packets
tracking tracking ip device
<cr>
SW1(config-if-range)#ip verify source
So lets see what is happening with with our now “show ip verify source” table output:
SW1#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
——— ———– ———– ————— ——————— —
Fa1/0/1 ip-mac active deny-all permit-all 10
Fa1/0/2 ip-mac active deny-all permit-all 10
Fa1/0/3 ip-mac active deny-all permit-all 10
Fa1/0/4 ip-mac active deny-all permit-all 10
SW1#
So this doesn’t look good, lets see if the DHCP is still struggling to correctly populate the IP DHCP Snooping table:
SW1#sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
Total number of bindings: 0
SW1#
All my routers are plugged into VLAN 10, with two trunks leading to SW2 the DHCP host, lets follow the troubleshooting path:
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Port Vlans allowed and active in management domain
Po1 1,10
Port Vlans in spanning tree forwarding state and not pruned
Po1 1,10
SW1#
I think I may know what might be happening here, I may need to enable DAI Trust on my trunking ports to fix the issue, lets see if this helps:
SW1(config)#int po1
SW1(config-if)#ip arp inspect trust
And lets take a look at the DHCP Snoop bind table now:
SW1#sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
Total number of bindings: 0
SW1#
This is getting maddening, I don’t understand why my routers are not sending out DHCP Discover packets that are reaching the server, when they are able to ping SW2 doing DHCP! :
HostA#ping 10.0.0.20
% Unrecognized host or address, or protocol not running.
HostA#
Uhhhhh. Or maybe not?
Ahhhh AH! :
!
vlan access-map VACL 10
match ip address 10
action forward
!
vlan filter VACL vlan-list 10
I forgot this was the last configuration for last night, so to remove this so I can get on with this demonstration 🙂
SW1(config-if)#exit
SW1(config)#no vlan access-map VACL
SW1(config)#no vlan filter VACL vlan 10
SW1(config)#do sh ip snoop dhcp bind
^
% Invalid input detected at ‘^’ marker.
SW1(config)#do sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1E:F7:97:F1:4B 10.0.0.34 604073 dhcp-snooping 10 FastEthernet1/0/2
00:1B:53:36:F2:CD 10.0.0.31 604073 dhcp-snooping 10 FastEthernet1/0/3
00:0E:84:75:04:E1 10.0.0.33 604120 dhcp-snooping 10 FastEthernet1/0/1
00:0E:D7:10:6C:61 10.0.0.32 604053 dhcp-snooping 10 FastEthernet1/0/4
Total number of bindings: 4
SW1(config)#
Beautiful! All 4 Bindings!
Lets look at our IP Source Guard table now:
SW1(config)#do sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
——— ———– ———– ————— —————– —- —
Fa1/0/1 ip-mac active 10.0.0.33 permit-all 10 disabled
Fa1/0/2 ip-mac active 10.0.0.34 permit-all 10 disabled
Fa1/0/3 ip-mac active 10.0.0.31 permit-all 10 disabled
Fa1/0/4 ip-mac active 10.0.0.32 permit-all 10 disabled
SW1(config)#
Important things to note:
Both DAI and IP Source Guard lookup entries from the DHCP Snooping Bind table, so if that is empty, they will be dropping all traffic!
With DAI, it sets ALL interfaces to non-trusted, so you want to ensure to set “ip arp inspect trust” on any interface you want communicating with the switch, or hard code the IP to MAC mapping in the DHCP Snooping table so it can be looked up.
IP Source guard is ONLY applied at the interface level, and can have “switchport-port security mac …” options configured in addition to map IP’s to interfaces AND MAC addresses, however I didn’t do that here as I am trying to blaze through this topic.
Bot DAI and IP Source Guard will drop traffic that it cannot lookup and find a permit statement within its own table derived from the DHCP Snooping table.
No interfaces will be shut down or put into goofy modes unless port-security is configured on them, DAI and IP Source Guard will only drop traffic from untrusted sources!
IP DHCP Snooping on the other hand is basically just a mechanism to designate your DHCP Server interface, so rogue DHCP servers cannot be introduced to the switch, and Trust must be configured on the interface with “ip dhcp snoop trust” otherwise it will be considered an Untrusted Port.
Untrusted Ports will accept DHCP Discover packets, but they will be dropped if they are destined for an Untrusted Port, along with the different back and forth messages for DHCP addressing (Discover, Offer, Request, Ack, etc).
AND THAT IS IT FOR THIS QUICK REVIEW OF IP SOURCE GUARD!
Some good troubleshooting nuggets, I’m not sure what will be next on deck to lab but it is going to be lab mania up until I pass the SWITCH exam, hopefully on the first attempt on 6/21!
The DEVNET GRIND! 