Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1210
Views
0
Helpful
3
Replies

DHCP Snooping (binding database advice)

Cisco Junky
Level 1
Level 1

‎12-21-2015 03:35 AM - edited ‎03-08-2019 03:10 AM

Hi,


I am going to be deploying DHCP snooping along with IP device tracking to aid with the Dot1x solution also being implemented. As IP device tracking is activated, this also means Dynamic Arp Inspection will be running.

My question is however, if the Binding table is not saved either to flash or FTP server for example, will this mean in the event of a switch reboot, some clients may be blocked from the network until the client DHCP lease expires, and it sends a DHCP broadcast??

Or do the clients send a DHCP broadcast every time the switch port connection is lost and re-established meaning that this will not be a problem for us.


Your support is much appreciated.

Labels:
0 Helpful
3 Replies 3

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎12-21-2015 08:55 AM

Hello,

If DHCP snooping database is not stored in the flash or other agents, binding information will be lost and there will be no connection unless you manually renew the IP or DHCP release expires.

"To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity"

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html

Hope it helps,

Masoud

0 Helpful

Cisco Junky
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-21-2015 09:24 AM

Thanks for the reply, I understand now that with only DHCP snooping running the agent isn't so important, however when using DAI or Source guard it is.

Can you confirm whether the "ip device tracking" command does enable DAI... the below extract seems to suggest it does, but does not give any instructions to mark the uplinks as trusted??

"IP ARP Inspection is enabled automatically when IPDT is enabled; it detects the presence of new hosts when it monitors ARP packets. If dynamic ARP inspection is enabled, only the ARP packets that it validates are used in order to detect new hosts for the Device Tracking table.

IP DHCP Snooping, if enabled, detects the presence or removal of new hosts when DHCP assigns or revokes their IP addresses."

http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Cisco Junky

‎12-21-2015 11:31 AM

Hello,

I do not think if you enable IPDT, Dynamic ARP inspection becomes enable because dynamic ARP inspection is rely on ACL and DHCP snooping database. I think that sentence just says it inspects ARP packets to populate IPDT table.

Just remember, IPDT has its own databse and can be updated by DHCP snooping table as long as dynamic ARP inspection is disable.

If you enable DHCP snooping and Dynamic ARP inspection, DHCP snooping populates its databse and DAI uses snooping database as well. You need to specify trust interfaces for both DHCP snooping and ARP inspection. IPDP will use it own database, which is fine and it does not get any update from DHCP snooping. IPDP will work with ARP to fill its table.

Hope it helps

Masoud

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card