Problem: We have our Ubiquiti wireless APs hooked up to an SG300-10P. The user's MAC can roam from AP to AP without asking DHCP for an address. We want to have IP Source Guard enabled as a best practice, to prevent someone wreaking havoc on our wireless network with a static IP address.
Unfortunately we had to disable IP Source Guard because it appears to lock the MAC to a port as well as an IP. Lets say a user connects to an AP on Port 1 and pulls an address via DHCP. They then begin to walk across the office and migrate to another AP on port 2. At that point, IP Source Guard drops all of their traffic until they pull a new DHCP address.
Is there a way around this?
Best Answer
That is what source guard is supposed to do. It protects the network by making sure that each address is only coming from one port on the switch. This prevents someone from spoofing to receive traffic destined for a different port. IP source guard doesn't do this by MAC address, but by IP address, so it isn't locking your MAC to a single port, it is locking the IP address to a single port to prevent spoofing. It uses DHCP snooping to lock the IP address to the port. To use the same device from a different port, you would need to pull an address from DHCP on the new port.
You seem to want it to work only for static addresses, but that is not how IP source guard works or what it is designed to do. It require DHCP snooping to allow an IP address on a port, and that is how it blocks statically assigned IP addresses, but there is no feature that only blocks statically assigned addresses; it is sort of a side effect which you can get around by putting a static binding on a port to allow a statically addressed device to work on a port.
Cisco has a document, IP Source Guard, which explains this: