Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
3
Replies

DAI and IP Source Guard using DHCP snooping

Go to solution
Steph1963
Level 1
Level 1

‎08-15-2011 01:14 PM - edited ‎03-07-2019 01:43 AM

Hi,

This might be a stupid question but I would like to understand how we can establish features like Dynamic ARP Inspection (DAI) or IP source guard with IP DHCP snooping on a live network.

What would happen if we enabled all these features after all hosts got their IP address from DHCP server. Would DAI or IP source guard denies acceess to all ports.

Is there any sequence that we have to follow when we used these security features.

Thanks for your help

Stephane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Steph1963

‎08-16-2011 06:56 AM

Hello,

No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.

Best regards,

Peter

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-15-2011 01:27 PM

Hello,

The DAI and IPSG in fact depend on the DHCP Snooping feature, as it is the source of information about a particular MAC/IP bindings. If you activate DAI/IPSG after the DHCP Snooping feature was activated and clients got their addresses then the connectivity should not be interrupted, as all necessary data will be already present in the DHCP Snooping database.

On the other hand, if you activated any of these features after the stations got their addresses, the DAI/IPSG would start blocking these stations until they reacquire their IP addresses from DHCP.

The simple rule is: a station must have its IP/MAC/VLAN/PORT binding recorded in the DHCP Snooping database, otherwise, it is considered an unknown station and its packets are dropped.

Best regards,

Peter

0 Helpful

Go to solution
Steph1963
Level 1
Level 1
In response to Peter Paluch

‎08-15-2011 07:36 PM

Hi Peter,

Does this means that in a case where we have to shutdown, for maintenance purpose as an example, a switch using DAI/IPSG features, we should first remove DAI/IPSG configuration, save the configuration, reboot the switch so it can fill it's DHCP snooping table and then reconfigure DAI/SPG in order to prevent the port from blocking due to unknown assign IP address.

Thanks for your help

Stephane

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Steph1963

‎08-16-2011 06:56 AM

Hello,

No, you do not need to deconfigure the DAI/IPSG. The DHCP communication should be possible even with DAI and IPSG turned on. After such a switch is rebooted, its ports will still go down and back up, prompting the connected stations to renew their DHCP leases and thereby populating the DHCP Snooping cache.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card