Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
1
Replies

DHCP Snooping +DAI

fb_webuser
Level 6
Level 6

‎10-24-2011 10:26 AM - edited ‎03-07-2019 03:01 AM

Dear respected , I need consult , we are going to implement DHCP snooping along withc DAI ( Dynamic Arp Inspection ) in our Network , my doubt is what will happen when the switch power turned off and truned on again>>> after reloading the DHCP binding table will be Empty and users will start sending arb requests to get an ip address through DHCP server (trusted ports are configured on trunkports )the uplink to the cores) , now how the switch will Deal with these ARP requests !! switch will drop all requests and consider them as an attack beacuse there is no entry for any host +mac on dhcp binding table! ?? or will pass them and re-build the DHCP binding table again ?????? please Advise , Thank you

---

Posted by WebUser Emad Kairallah

Labels:
0 Helpful
1 Reply 1

ajay chauhan
Level 7
Level 7

‎10-28-2011 06:30 AM

DHCP Snooping and Dynamic ARP Inspection (DAI) must be configured on end user vlans and vlans that are located in public areas as a requirement .

The combination of DHCP Snooping and Dynamic ARP Inspection (DAI) is used to mitigate ARP poisoning attacks and man-in-the-middle attacks on the enterprise network.

DAI Config for end user ports.

ip dhcp snooping vlan < users,phone>

ip arp inspection vlan >users,phone>

DAI untrust all the end user ports and trust all the uplinks.

ip dhcp snooping trust by default all are untrusted.

ip arp inspection trust  >Must be placed on all uplinks (trunks)

ip arp inspection validate src-mac

ip dhcp snooping database bootflash:dhcpsnooping.txt  >Saves and dynamically updates the dhcp snooping table in bootflash. In case of a switch reload this table will be copied back to the running config.

Once configured, every ARP packet that traverses these vlans is inspected for a corresponding entry in the binding table. If a binding is there, the packet is allowed to pass. If not, the packet is dropped and logged.

The default rate limit for arp-inspection is 15 packets per second. It is configurable with the following command:

ip arp inspection limit rate

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card