I am going to be deploying DHCP snooping along with IP device tracking to aid with the Dot1x solution also being implemented. As IP device tracking is activated, this also means Dynamic Arp Inspection will be running.
My question is however, if the Binding table is not saved either to flash or FTP server for example, will this mean in the event of a switch reboot, some clients may be blocked from the network until the client DHCP lease expires, and it sends a DHCP broadcast??
Or do the clients send a DHCP broadcast every time the switch port connection is lost and re-established meaning that this will not be a problem for us.
Your support is much appreciated.
If DHCP snooping database is not stored in the flash or other agents, binding information will be lost and there will be no connection unless you manually renew the IP or DHCP release expires.
"To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity"
Hope it helps,
Thanks for the reply, I understand now that with only DHCP snooping running the agent isn't so important, however when using DAI or Source guard it is.
Can you confirm whether the "ip device tracking" command does enable DAI... the below extract seems to suggest it does, but does not give any instructions to mark the uplinks as trusted??
"IP ARP Inspection is enabled automatically when IPDT is enabled; it detects the presence of new hosts when it monitors ARP packets. If dynamic ARP inspection is enabled, only the ARP packets that it validates are used in order to detect new hosts for the Device Tracking table.
IP DHCP Snooping, if enabled, detects the presence or removal of new hosts when DHCP assigns or revokes their IP addresses."
I do not think if you enable IPDT, Dynamic ARP inspection becomes enable because dynamic ARP inspection is rely on ACL and DHCP snooping database. I think that sentence just says it inspects ARP packets to populate IPDT table.
Just remember, IPDT has its own databse and can be updated by DHCP snooping table as long as dynamic ARP inspection is disable.
If you enable DHCP snooping and Dynamic ARP inspection, DHCP snooping populates its databse and DAI uses snooping database as well. You need to specify trust interfaces for both DHCP snooping and ARP inspection. IPDP will use it own database, which is fine and it does not get any update from DHCP snooping. IPDP will work with ARP to fill its table.
Hope it helps