Blog Just another tech site

5Oct/120

Cisco 2960s Ip Source Guard Port-Security Issue

IP Source Guard

Yesterday I had an issue where ip source guard with mac-address filtering was applied across a range of switches including 3560g's and 2960s'. The majority of switches functioned fine with the applied changes not affecting users. One issue appeared with a pair of 2960s switches which were running in series (one trunked to the next), where users could not obtain ip addresses from the DHCP server.

A different building with the same switches with the same IOS version and the same configuration were functioning correctly (as well as many others but on different VLANS.

I then took steps of restoring the previous working configuration and adding in the new configuration one line at a time. The changes that were being made was the implementation of dynamic arp inspection, port security and ip source guard.

If the command ip verify source was applied all was well (I checked this by shutting down ports, clearing the ip snooping binding table adding the command and then activating the ports again and checking if ip's were obtained.

The command ip verify source port-security was causing issues, which I originally thought that could have been caused by an option 82 issue, but it was allowed in the configuration and the DHCP server has had no issues with it in the past.

I then decided to upgrade the IOS version from 15.0(1)SE1 to 15.0(2)SE. This surprisingly fixed the issue and all was well with ip source guard once more.

Leave a Reply

Your email address will not be published. Required fields are marked *