Dynamic inspection with DHCP snooping

suryakant.chavan · ‎06-19-2013

Hi Experts,

I have some queries regarding DHCP snooping and Dyanmic ARP inspection.

As I have read to enable DIA , there should already be DHCP snooping enabled.
If DIA is enabled , any packet coming on any untrusted port, It checks DHCP snooping database
and if entry is exist it will forward.

So How any user machine get ip address conneced after DIA enabled.

Thanks and regards,

Surya

cadet alain · ‎06-19-2013

Hi,

suppose your user has got a dhcp address then it will send a discover message which is broadcast( so no need for ARP) then it will receive an offer and send out a request message( still broadcast so no need for ARP) and finally it will receive an ACK.this way the DHCP snooping binding database will get populated and then it will be able to send ARP.

Now if your user has got a static IP then you'll need to use ARP ACL:http://ccietobe.blogspot.be/2009/01/dynamic-arp-inspection-with-non-dhcp.html

You could also configure static entries in the snooping table for these static IP addresses.

Regards.

Alain

Don't forget to rate helpful posts.

paul driver · ‎06-19-2013

Hello

Clients on untrusted ports are to still obtain an ip address from the dhcp server with dhcp snooping and DIA enabled, as these dhcp requests are not subject to snooping/DIA checks.

Also DIA can be used without DHCP snooping by using statically assigned filters as by default DIA will check these filters before the snooping database.

ex:

arp access-list TEST

ip arp inspection filter-list vlan xx static TEST.

I would advise you to read this exceptional post by Peter Paluch

https://supportforums.cisco.com/message/3809251#3809251

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul