cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
483
Views
0
Helpful
1
Replies

Safe to activate DAI before DHCP snooping table complete ?

tedauction
Level 1
Level 1

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.

1 Accepted Solution

Accepted Solutions

Hello


@tedauction wrote:

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.


No it wont be safe to enable DAI on a switch without having the snooping D/B being populated first, as DAI wont be able to validate against the snooping D/B for valid entries, The only way to bypass this would be to apply static DAI filter list as this is always checked prior to checking the snooping D/B


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

1 Reply 1

Hello


@tedauction wrote:

Hello, I am using Dynamic Arp Inspection (DAI) in assocation with DHCP Snooping.

My question is, is it safe to enable DAI before the DHCP snooping table has fully populated with all possible DHCP enabled devices ?

If DAI sees traffic come through the switch from a client but there is no entry yet in the DHCP table, will it block that traffic ?

n.b. a scenario might be if a client pulled DHCP before DHCP snooping was enabled.


No it wont be safe to enable DAI on a switch without having the snooping D/B being populated first, as DAI wont be able to validate against the snooping D/B for valid entries, The only way to bypass this would be to apply static DAI filter list as this is always checked prior to checking the snooping D/B


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card