Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP Snooping and DAI

Hello,

I am looking into implementing DHCP Snooping and Dynamic Arp Inspection into my network but I am a little confused. Here is my layout:

1. One 6509 running as the DHCP server and the dhcp database is saved to flash

2. Five 3500 switches each with a connection to the 6509 that support dhcp clients

I understand that DAI must reference the dhcp database to funtion so my question is this. Once DAI is configured on the 3500's, is it possible to point them to reference the dhcp database that lives in the 6509 flash?

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

DHCP Snooping and DAI

HI,

DAI is referencing the DHCP snooping database which is not the DHCP database.

The DHCP snooping database is constructed when clients get a DHCP leased address because the switch where DHCP snooping is configured is looking at the DHCP messages and so knows the MAC address of the client, the port where it is and the IP it got.

Don't forget to rate if helpful.

Regards.

Alain

Don't forget to rate helpful posts.
2 REPLIES
Purple

DHCP Snooping and DAI

HI,

DAI is referencing the DHCP snooping database which is not the DHCP database.

The DHCP snooping database is constructed when clients get a DHCP leased address because the switch where DHCP snooping is configured is looking at the DHCP messages and so knows the MAC address of the client, the port where it is and the IP it got.

Don't forget to rate if helpful.

Regards.

Alain

Don't forget to rate helpful posts.

DHCP Snooping and DAI

Hello,

Just make sure the Interconnection between the Switches are configured as TRUSTED interfaces to bybass the validation check just like when you do the same with DHCP Snooping. the command is (ip arp inspection trust) interface command.

and You typically leave all host ports as untrusted ports.

Regards,

Mohamed

252
Views
4
Helpful
2
Replies
CreatePlease login to create content