Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
0
Replies

DHCP Snooping and DAI stops DHCP Clients from receiving IPs

Alin Scarlat
Level 1
Level 1

‎12-15-2013 03:27 AM - edited ‎03-07-2019 05:05 PM

Hello,

I've  been having some issues for quite some time now regarding the  implementation of DAI over DHCP Snooping in a dynamic environment. I've  been searching for a thread/discussion that is remotely related to mine  but unfortunately I wasn't able to find one so please excuse me if I  didn't post in the right category.

The problem is as follows:

Giving  3 x 3560 (WS-C3560G-24TS-S) and a laptop I've tried enhancing the  security by activating both DHCP Snooping and DAI. One of the 3560 is  the DHCP Server, the second one is a "transit" switch and the third one  is the "access" switch.

The topology would be similar to this:

Laptop -> 3560 (Access Switch) -> 3560 (Distribution SW) -> 3560 (Core Switch + DHCP Server)

The  configuration for the access and distribution switches, before  implementing DAI, in order for the laptop to receive IP from the DHCP  Server would be like this:

  • Put the laptop in access mode and in corresponding vlan
  • DHCP Snooping enabled for that certain VLAN on both access and distribution switches
  • Disable option-82
  • Set the trunk that goes from access to distribution and the trunk from distribution to core as trusted

In this current setup the laptop is able to receive the IP and the rest of the DHCP Server information as planned.

If I enable DAI on the access switch no other laptops will be able to gain IP from the DHCP Server. Here are the steps used:

  • Enable  DAI for the vlan that the new laptop will be connected to on both  access and distribution switches (the ports on the access switch are all  in the right vlan and manually access)
  • Set the trunk from access to distribution and the trunk from distribution as trust

After all this is set if a new laptop plugs in, DAI will not allow it to get the info from the DHCP Server.

I've been searching for answer for a while now and my logic, so far, is the following:

DAI  is looking at DHCP Snooping DB and at ARP ACLs to allow that ARP packet  to flow but since it's a new laptop and it hasn't got an entry in the  DHCP Snooping DB and since it's a random laptop it can't have any entry  in a manually configured ARP ACL, it will drop any ARP request from it  and it won't be able to reach the DHCP Server to do the 4 steps.

Since  I couldn't find a logical and a practical way to resolve this problem  I'm asking for your advice and help into solving this issue.

Looking forward to your reply.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card