DHCP Snooping and DAI stops DHCP Clients from receiving IPs
I've been having some issues for quite some time now regarding the implementation of DAI over DHCP Snooping in a dynamic environment. I've been searching for a thread/discussion that is remotely related to mine but unfortunately I wasn't able to find one so please excuse me if I didn't post in the right category.
The problem is as follows:
Giving 3 x 3560 (WS-C3560G-24TS-S) and a laptop I've tried enhancing the security by activating both DHCP Snooping and DAI. One of the 3560 is the DHCP Server, the second one is a "transit" switch and the third one is the "access" switch.
The configuration for the access and distribution switches, before implementing DAI, in order for the laptop to receive IP from the DHCP Server would be like this:
Put the laptop in access mode and in corresponding vlan
DHCP Snooping enabled for that certain VLAN on both access and distribution switches
Set the trunk that goes from access to distribution and the trunk from distribution to core as trusted
In this current setup the laptop is able to receive the IP and the rest of the DHCP Server information as planned.
If I enable DAI on the access switch no other laptops will be able to gain IP from the DHCP Server. Here are the steps used:
Enable DAI for the vlan that the new laptop will be connected to on both access and distribution switches (the ports on the access switch are all in the right vlan and manually access)
Set the trunk from access to distribution and the trunk from distribution as trust
After all this is set if a new laptop plugs in, DAI will not allow it to get the info from the DHCP Server.
I've been searching for answer for a while now and my logic, so far, is the following:
DAI is looking at DHCP Snooping DB and at ARP ACLs to allow that ARP packet to flow but since it's a new laptop and it hasn't got an entry in the DHCP Snooping DB and since it's a random laptop it can't have any entry in a manually configured ARP ACL, it will drop any ARP request from it and it won't be able to reach the DHCP Server to do the 4 steps.
Since I couldn't find a logical and a practical way to resolve this problem I'm asking for your advice and help into solving this issue.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...