Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

DHCP Snooping and DAI stops DHCP Clients from receiving IPs


I've  been having some issues for quite some time now regarding the  implementation of DAI over DHCP Snooping in a dynamic environment. I've  been searching for a thread/discussion that is remotely related to mine  but unfortunately I wasn't able to find one so please excuse me if I  didn't post in the right category.

The problem is as follows:

Giving  3 x 3560 (WS-C3560G-24TS-S) and a laptop I've tried enhancing the  security by activating both DHCP Snooping and DAI. One of the 3560 is  the DHCP Server, the second one is a "transit" switch and the third one  is the "access" switch.

The topology would be similar to this:

Laptop -> 3560 (Access Switch) -> 3560 (Distribution SW) -> 3560 (Core Switch + DHCP Server)

The  configuration for the access and distribution switches, before  implementing DAI, in order for the laptop to receive IP from the DHCP  Server would be like this:

  • Put the laptop in access mode and in corresponding vlan
  • DHCP Snooping enabled for that certain VLAN on both access and distribution switches
  • Disable option-82
  • Set the trunk that goes from access to distribution and the trunk from distribution to core as trusted

In this current setup the laptop is able to receive the IP and the rest of the DHCP Server information as planned.

If I enable DAI on the access switch no other laptops will be able to gain IP from the DHCP Server. Here are the steps used:

  • Enable  DAI for the vlan that the new laptop will be connected to on both  access and distribution switches (the ports on the access switch are all  in the right vlan and manually access)
  • Set the trunk from access to distribution and the trunk from distribution as trust

After all this is set if a new laptop plugs in, DAI will not allow it to get the info from the DHCP Server.

I've been searching for answer for a while now and my logic, so far, is the following:

DAI  is looking at DHCP Snooping DB and at ARP ACLs to allow that ARP packet  to flow but since it's a new laptop and it hasn't got an entry in the  DHCP Snooping DB and since it's a random laptop it can't have any entry  in a manually configured ARP ACL, it will drop any ARP request from it  and it won't be able to reach the DHCP Server to do the 4 steps.

Since  I couldn't find a logical and a practical way to resolve this problem  I'm asking for your advice and help into solving this issue.

Looking forward to your reply.

CreatePlease to create content