08-15-2011 01:14 PM - edited 03-07-2019 01:43 AM
Hi,
This might be a stupid question but I would like to understand how we can establish features like Dynamic ARP Inspection (DAI) or IP source guard with IP DHCP snooping on a live network.
What would happen if we enabled all these features after all hosts got their IP address from DHCP server. Would DAI or IP source guard denies acceess to all ports.
Is there any sequence that we have to follow when we used these security features.
Thanks for your help
Stephane
Solved! Go to Solution.
08-16-2011 06:56 AM
Hello,
No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.
Best regards,
Peter
08-15-2011 01:27 PM
Hello,
The DAI and IPSG in fact depend on the DHCP Snooping feature, as it is the source of information about a particular MAC/IP bindings. If you activate DAI/IPSG after the DHCP Snooping feature was activated and clients got their addresses then the connectivity should not be interrupted, as all necessary data will be already present in the DHCP Snooping database.
On the other hand, if you activated any of these features after the stations got their addresses, the DAI/IPSG would start blocking these stations until they reacquire their IP addresses from DHCP.
The simple rule is: a station must have its IP/MAC/VLAN/PORT binding recorded in the DHCP Snooping database, otherwise, it is considered an unknown station and its packets are dropped.
Best regards,
Peter
08-15-2011 07:36 PM
Hi Peter,
Does this means that in a case where we have to shutdown, for maintenance purpose as an example, a switch using DAI/IPSG features, we should first remove DAI/IPSG configuration, save the configuration, reboot the switch so it can fill it's DHCP snooping table and then reconfigure DAI/SPG in order to prevent the port from blocking due to unknown assign IP address.
Thanks for your help
Stephane
08-16-2011 06:56 AM
Hello,
No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide