Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3595
Views
10
Helpful
1
Replies

Traffic drop after clear DHCP snooping binding

Go to solution
zexinfinite
Level 1
Level 1

‎09-05-2017 09:33 AM - edited ‎03-08-2019 11:56 AM

Hi all,

 

I've enable DHCP snooping and IPSG in lab, after I try to use "clear ip dhcp snooping binding*", the traffic will be deny by IPSG. Then I try to restart client interface to get IP address from DHCP again, and evertything is working again.

 

If there have other way to recover it without restart client interface?

 

Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:02:10 192.168.1.4 86351 dhcp-snooping 100 Ethernet0/1
Total number of bindings: 1

 

Switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/1 ip active 192.168.1.4 100

 

Switch#clear ip dhcp snooping binding *

 

Switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/1 ip active deny-all 100

 

Switch#show running-config interface e0/1
Building configuration...

Current configuration : 112 bytes
!
interface Ethernet0/1
switchport access vlan 100
switchport mode access
duplex auto
ip verify source
end

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-05-2017 10:43 AM

Hi,

Unfortunately, there is no way of quickly reinstating the connectivity after manually clearing the DHCP Snooping bindings. This database is built based on DHCP messaging, and so until the switch again intercepts the DHCP communication between a given client and a server, it cannot populate the DHCP Snooping database for this client, and so neither Dynamic ARP Inspection nor IP Source Guard can work.

There is a way of configuring static bindings for DAI or IPSG, but obviously, that approach is not scalable and likely not meeting your requirements.

On the other hand, flatly clearing the entire DHCP Snooping database is a strongly impacting step, and should not be ordinarily done at all. This question may be a little evasive, but why would you want to clear the entire DHCP Snooping database in the first place?

Best regards,
Peter

View solution in original post

1 Reply 1

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-05-2017 10:43 AM

Hi,

Unfortunately, there is no way of quickly reinstating the connectivity after manually clearing the DHCP Snooping bindings. This database is built based on DHCP messaging, and so until the switch again intercepts the DHCP communication between a given client and a server, it cannot populate the DHCP Snooping database for this client, and so neither Dynamic ARP Inspection nor IP Source Guard can work.

There is a way of configuring static bindings for DAI or IPSG, but obviously, that approach is not scalable and likely not meeting your requirements.

On the other hand, flatly clearing the entire DHCP Snooping database is a strongly impacting step, and should not be ordinarily done at all. This question may be a little evasive, but why would you want to clear the entire DHCP Snooping database in the first place?

Best regards,
Peter

Customers Also Viewed These Support Documents