ip verify source port-security

[Jora_Cornev]

 

Подскажите, пожалуйста, в чём может быть проблема?

При включении на access портах ip verify source port-security

Получаю вот такую картину:

2960G_K10#show ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/1      ip-mac       inactive-no-snooping-vlan
Gi0/2      ip-mac       inactive-no-snooping-vlan
Gi0/3      ip-mac       active       deny-all         deny-all           100
Gi0/4      ip-mac       inactive-no-snooping-vlan
Gi0/5      ip-mac       active       deny-all         deny-all           100
Gi0/6      ip-mac       active       deny-all         deny-all           100
Gi0/7      ip-mac       active       deny-all         deny-all           100
Gi0/8      ip-mac       inactive-no-snooping-vlan
Gi0/9      ip-mac       inactive-no-snooping-vlan
Gi0/10     ip-mac       inactive-no-snooping-vlan
Gi0/11     ip-mac       inactive-no-snooping-vlan
Gi0/12     ip-mac       inactive-no-snooping-vlan
Gi0/13     ip-mac       inactive-no-snooping-vlan
Gi0/14     ip-mac       inactive-no-snooping-vlan
Gi0/15     ip-mac       inactive-no-snooping-vlan
Gi0/16     ip-mac       inactive-no-snooping-vlan
Gi0/17     ip-mac       inactive-no-snooping-vlan
Gi0/18     ip-mac       inactive-no-snooping-vlan
Gi0/19     ip-mac       inactive-no-snooping-vlan
Gi0/20     ip-mac       active       deny-all         deny-all           100

 

Конфиг коммутатора cisco 2960G:

Скрытый текст

version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
no service dhcp
!
hostname 2960G_K10
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!

username xxxxxx privilege 15 password 7 xxxxxxxxxxxxx
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
system mtu routing 1500
vtp domain xxxxx
vtp mode off
no ip source-route
ip arp inspection vlan 100
no ip gratuitous-arps
ip dhcp bootp ignore
!
!
ip dhcp snooping vlan 100
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip domain-name 2960G_K10.local

!

vlan 100
 name 
!
vlan 4004
 name MGT
!
ip tcp selective-ack
ip tcp timestamp
ip ssh version 2
 

interface GigabitEthernet0/1
 switchport access vlan 100
 switchport mode access
 switchport protected
 switchport block multicast
 switchport block unicast
 switchport port-security maximum 2
 switchport port-security violation protect
 switchport port-security aging time 5
 switchport port-security
 ip arp inspection limit rate 10
 storm-control broadcast level pps 10
 storm-control multicast level pps 100
 storm-control action shutdown
 no cdp enable
 spanning-tree portfast
 spanning-tree bpdufilter enable
 

================//======================

 

interface GigabitEthernet0/20
 switchport access vlan 100
 switchport mode access
 switchport protected
 switchport block multicast
 switchport block unicast
 switchport port-security maximum 2
 switchport port-security violation protect
 switchport port-security aging time 5
 switchport port-security
 ip arp inspection limit rate 10
 storm-control broadcast level pps 10
 storm-control multicast level pps 100
 storm-control action shutdown
 no cdp enable
 spanning-tree portfast
 spanning-tree bpdufilter enable

 

 

interface GigabitEthernet0/21
 switchport trunk allowed vlan 100,4004
 switchport mode trunk
 ip arp inspection trust
 shutdown
 ip dhcp snooping trust
!
interface GigabitEthernet0/22
 switchport trunk allowed vlan 100,4004
 switchport mode trunk
 ip arp inspection trust
 shutdown
 ip dhcp snooping trust
!
interface GigabitEthernet0/23
 switchport trunk allowed vlan 100,4004
 switchport mode trunk
 ip arp inspection trust
 shutdown
 ip dhcp snooping trust
!
interface GigabitEthernet0/24
 switchport trunk allowed vlan 100,4004
 switchport mode trunk
 ip arp inspection trust
 ip dhcp snooping trust
 

interface Vlan1
 no ip address
 shutdown
!
interface Vlan4004
 description MGT
 ip address 10.x.x.x 255.255.0.0
!
no ip http server
no ip http secure-server
no cdp run
!
!
!
no vstack
!
line con 0
 exec-timeout 60 0
 logging synchronous
line vty 0 4
 exec-timeout 60 0
 privilege level 15

 

 

 

Edited March 24, 2021 by Jora_Cornev

[Jora_Cornev]

неужели ни у кого нет соображений по этой ситуации?

[jffulcrum]

show ip dhcp snooping binding для начала покажите

 

 

А, нашел:

 

Цитата

Note When you enable both IPSG and port security by using the ip verify source port-security interface configuration command, there are two caveats: • The DHCP server must support option-82, or the client is not assigned an IP address.

Так что убрать no ip dhcp snooping information option

 

[Jora_Cornev]

@jffulcrum , спасибо вам! За помощь!

[Jora_Cornev]

ответ конечно очевиден, но мало ли =)

т.е. если DHCP сервер не умеет разбирать оцию82, смысла в использовании ip verify source port-security нет?