Friday, September 24, 2021

Cisco IP Source Guard and APIPA Addresses

I've been trying to setup a Cisco 3750x in my lab. So far, I've successfully configured DHCP Snooping & DAI (ARP Inspection). However, I'm having issues with IP Source Guard.

The problem is that some dynamic IP clients (e.g. Windows) sometimes assign themselves an APIPA address in the 169.254.0.0 subnet when their interface goes up and they don't immediately receive a response from the DHCP server. When they do, all their DHCP requests have this APIPA address as source instead of 0.0.0.0, and of course are dropped by IP Source Guard. This results in the Windows client never getting assigned a proper DHCP address.

DAI was also blocking these APIPA addresses, but I managed to resolve it by including the APIPA subnet in the ARP ACL. However, IP Source Guard seems to only allow static bindings (i.e. single IP Address to single MAC), and I haven't managed to find an equivalent solution.

I usually see this issue happening when the switch reloads while the clients are on. When that happens, the switch turns on the windows clients' gigabit ethernet interfaces a few seconds before the Port-Channel where the DHCP Server is located. In these few seconds the clients switch from 0.0.0.0 to APIPA because of some internal timeout.

Has anyone faced the same problem? Any potential solutions?



No comments:

Post a Comment