Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
1
Replies

Safe to activate DAI before DHCP snooping table complete ?

Go to solution
tedauction
Level 1
Level 1

‎12-11-2018 02:34 PM - edited ‎03-08-2019 04:47 PM

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎12-11-2018 03:16 PM - edited ‎12-11-2018 03:20 PM

Hello

@tedauction wrote:

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.

No it wont be safe to enable DAI on a switch without having the snooping D/B being populated first, as DAI wont be able to validate against the snooping D/B for valid entries, The only way to bypass this would be to apply static DAI filter list as this is always checked prior to checking the snooping D/B


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
1 Reply 1

Go to solution
paul driver
VIP
VIP

‎12-11-2018 03:16 PM - edited ‎12-11-2018 03:20 PM

Hello

@tedauction wrote:

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.

No it wont be safe to enable DAI on a switch without having the snooping D/B being populated first, as DAI wont be able to validate against the snooping D/B for valid entries, The only way to bypass this would be to apply static DAI filter list as this is always checked prior to checking the snooping D/B


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card