- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2011 01:14 PM - edited 03-07-2019 01:43 AM
Hi,
This might be a stupid question but I would like to understand how we can establish features like Dynamic ARP Inspection (DAI) or IP source guard with IP DHCP snooping on a live network.
What would happen if we enabled all these features after all hosts got their IP address from DHCP server. Would DAI or IP source guard denies acceess to all ports.
Is there any sequence that we have to follow when we used these security features.
Thanks for your help
Stephane
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 06:56 AM
Hello,
No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2011 01:27 PM
Hello,
The DAI and IPSG in fact depend on the DHCP Snooping feature, as it is the source of information about a particular MAC/IP bindings. If you activate DAI/IPSG after the DHCP Snooping feature was activated and clients got their addresses then the connectivity should not be interrupted, as all necessary data will be already present in the DHCP Snooping database.
On the other hand, if you activated any of these features after the stations got their addresses, the DAI/IPSG would start blocking these stations until they reacquire their IP addresses from DHCP.
The simple rule is: a station must have its IP/MAC/VLAN/PORT binding recorded in the DHCP Snooping database, otherwise, it is considered an unknown station and its packets are dropped.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2011 07:36 PM
Hi Peter,
Does this means that in a case where we have to shutdown, for maintenance purpose as an example, a switch using DAI/IPSG features, we should first remove DAI/IPSG configuration, save the configuration, reboot the switch so it can fill it's DHCP snooping table and then reconfigure DAI/SPG in order to prevent the port from blocking due to unknown assign IP address.
Thanks for your help
Stephane
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2011 06:56 AM
Hello,
No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.
Best regards,
Peter
