problem deactivating/activating DHCP snooping

banquez1touna · ‎05-11-2011

Hi,

I have the following problem with IP DHCP snooping. This feature is enabled for vlan 11, along with Dynamic ARP Inspection.

When I disable DHCP Snooping globally and enable it, after a while I get complaints from users that they can not connect to LAN. The problem is solved only when I asked them to reboot their machines.

any idea?

Giuseppe Larosa · ‎05-11-2011

Hello Wassim,

>> The problem is solved only when I asked them to reboot their machines.

any idea?

disabling/enabling DHCP snooping resets the DHCP bindings database, when the user PC is rebooted it performs again a DHCP request and can get an IP address and access to the network.

Before that a PC tries to access the network with its current DHCP lease but it not considered an authorized host because it is not in the database

you should store the DHCP binding database on an external server for later retrivial

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swdhcp82.html#wp1220352

Hope to help

Giuseppe

Wassim Aouadi · ‎05-12-2011

Hi Giuseppe,

I uploaded the config. I note that there are IP DHCP snooping and Dynamic ARP Inspection configured. Could it be because of DAI?

- I actually have DHCP snooping database agent configured. The agent file exists and is populated, and TFTP server is up. I thought that, if I disable/enable DHCP snooping, switch will restore its DHCP snooping database from the remote file.

However I keep receiving the following message:

" %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/28, vlan 11.([f4ce.4602.fa9b/10.100.0.113/0008.e3ff.fc28/10.100.0.126/14:47:18 UTC Wed May 11 2011]) "

- all hosts are DHCP-enabled.

- a "show ip dhcp snooping binding" displays an increasing number of bindings, but not all the bindings before disabling DHCP snooping.

Thanks