I discovered something when trying to convert 3750 config to 9300 syntax and I'm wondering if the 3750s never worked quite right or it was just not fully understood. If anyone can test, I'd appreciate it
So we have DAI and IPSG enabled. DAI is working using:
ip arp inspection vlan [#] ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 15 interval 5 ip arp inspection filter [ACL_NAME] vlan [#]
Static IP addresses require a static entry using:
arp access-list [ACL_NAME] permit ip host [IP] mac host [MAC]
This is working fine; when enabled a static IP address won't work until the entry is added to the ARP ACL. However, things work fine when it comes to IPSG and no static ip source binding
Global Config:
ip dhcp snooping vlan [#] no ip dhcp snooping information option ip dhcp snooping database [Location] ip dhcp snooping ip device tracking probe interval 90 ip device tracking probe auto-source override ip device tracking probe delay 10
Interface Config:
interface GigabitEthernet[#] switchport access vlan [#] switchport mode access switchport nonegotiate switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security violation shutdown vlan switchport port-security aging time 2 switchport port-security aging type inactivity switchport port-security ip device tracking maximum 2 power inline never power inline police action log priority-queue out no cdp enable storm-control broadcast level pps 500 350 storm-control action shutdown storm-control action trap spanning-tree portfast edge service-policy input [Policy_Name] ip verify source tracking ip dhcp snooping limit rate 100 end
This seemingly should require the following statement to work:
ip source binding [MAC] vlan [#] [IP] interface Gi[#]
And that's what was there. I removed it and pings stopped. But then I bounced the port and it began working again
I'm thinking this must not be required based on the verbiage in the following link:
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send traffic to a given port. This is equivalent to port security at Layer 3.
I do have an entry when looking at the device tracking table
----------------------------------------------------------------------------------------------- IP Address MAC Address Vlan Interface Probe-Timeout State Source ----------------------------------------------------------------------------------------------- [IP] [MAC] [VLAN] GigabitEthernet[#] 90 ACTIVE ARP
The config guides and blogs I see all mention the static binding. I get that, and it makes sense, yet works without it. Can anyone test this and see if you get the same results? I don't think I'm missing anything but perhaps I am. I noticed on the 9300s things working before I got a chance to add the static entry and this is how it came to my attention. I do have a TAC case but so far no answer
Any thoughts?
TIA
No comments:
Post a Comment