Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Community Manager

Ask the Expert:Catalyst Security (DHCP Snooping, DAI, IP source guard)

Judhajit Ghosh

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Judhajit Ghosh about Catalyst Security.

Judhajit is an engineer at Cisco who specializes in LAN Switching and has certifications in CCNA and CCNP(BCMSN).He has a Masters in Electronics Science."

Remember to use the rating system to let Judhajit know if you have received an adequate response. 

Judhajit might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infastructure sub-community discussion forum shortly after the event.   This event is a continuation of the facebook forum and lasts through June 29, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Rajeev Sharma
Cisco Employee

Hi Judhajit,

Glad to see you, i need to know how to track the rouge DHCP server with DHCP Snooping?



Hey Rajeev,

I believe the answer is negative. These features are there to prevent the rouge machines 
becoming the DHCP server and not to find them explicitly. So, you need to know where your
legitimate DHCP server is and trust only the path towards it. All the DHCP offers and ACKs
from untrusted ports will be droped.

Hope that helps....

Nathan Eger

Hello Judhajit,

I am curious what type of performance impact occurs as a result of turning on the DHCP Snooping, and DAI features?  It is my understanding that these security features are processed by the CPU of the switch and not

necessarily the ASICs.  Is my understanding correct?

Hi Nathan,

Thank you for asking.

Yes, you are correct. Unlike IP source guard, that is fully hardware based,DHCP snooping and DAI involves software

switching. DHCP snooping requires inspection of all dhcp packets in software in order to validate dhcp response

packets and learn dhcp hosts to port bindings.

Dynamic arp inspection requires validation  of all arp packets on the vlan.However, DAI doesn¹t build any table and

validates hosts against the bindings in the dhcp snooping binding table.

Yes, CPU can go high if there are lots of dhcp packets. We haven¹t performed any specific benchmark testing with

respect to how many dhcp packets can be handled but this will be around the same as normal packet switching.

Normally we don¹t expect a very high rate of such traffic.

The same goes true for Dyanamic ARP Inspection. Too many ARP packets processed or the configuration done incorrectly, will spike the CPU.

Also, the DHCP Snooping binding table and database is handled by the memory of the switch and will depend on the

IOS codes, in case of 6k platform.

There are a couple of rate-limiting options available to protect the CPU for both snooping and DAI, and can be found

in config guides.

Also wanted to mention that on the Sup2T we have an enhancement for DAI whereby DAI can also be performed

in hardware

Hope that answers your question...

Jonatan Jonasson

Hi Judhajit,

In regards to these features mentioned in the subject, can you tell me what corresponding IPv6 security features are available for a company that has access switches that mostly consist of 3560 and 3750, if any?

Or do you know if any of these features (RA guard for example) is on the roadmap for these types of switches.

DHCP snooping is for IPV4 DHCP servers, so it will not work for IPV6. As far as the other security features are considered, I am not very sure for 3560/3750 platforms, apart from ipv6 ACLs.

As far as I know, ipv6 nd inspection and hence, the RA guard, could be implemented from the software version 15.0(2) SE.

Not sure about its release date, however, 15.0(1) SE3 is the latest on CCO, which doesn't have these features. Also, it could be implemented in 3560X/ 3750X series switches first.

Can keep you updated as I know more....

Hi Judhajit,

Not sure if this discussion is still active. If you do, could you please advise the disadvantage that I can have by just having DHCP snooping configured without DAI or IP source guard explicitly enabled in my switching?

Thanks for your contribution.


Rising star


I have a question regarding catalyst security.

if I have the need to limit the ability for clients to speak with eachother how do I do that ?

Since I need some direct connection between them such as Lync/communicator i can not use Private vlan edge/protected ports, and for the same reason I can not use a MAC address access list.

But if I use a IP access-list the ports will still let other types of unwanted traffic through such as netbios ipx/spx and so on.

and I can not combine several types of access-lists (ip/mac) since the switches will not allow for that.

How/what can I do to limit the access possibilities between clients ?



Hello Judhajit,

You said that Database agent feature for dhcp snooping is necessary upon reload. I want to ask that if I reload the switch with not changing any connections on it, I think that the all the devices on the switch will contact the DHCP server again and renew their leases. Am I wrong? So if that what happend I think that database agent feature is a little bit unnecessary.




Hi all,

I am in trouble here. Please tell me how much max memory can be utilized by DHCP snooping database if we configure the database in our flash of layer3 switch?

I need to implement dhcp snooping this week. Pleas reply.