03-05-2009 05:54 AM - edited 03-06-2019 04:24 AM
Hi all,
We tried to use DAI on a switch. Our IP address is static.
Our problem is that after configuring DAI, no ping responds (ping between PC and switch or between PCs).
We have to put each port as "trust" and then change it to "untrust" before we can ping.
And when port has been blocked by DAI, we have to the same thing so it can ping again.
03-05-2009 07:01 AM
Hi,
DAI uses the table built by DHCP snooping to accept or deny packets. In your case, since your host have static ip adress, you need to build a filter by yourself. I found this in a config guide:
S1(config)# arp access-list H2
S1(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0001.0001.0001
S1(config)# ip arp inspection filter H2 vlan 1
I've implemented DAI and you need to use DHCPsnooping. Manual ACL are unmanageable after a while. This could help you push a all DHCP hidden agenda.
03-06-2009 03:07 AM
Is there other technologie which functions as DAI but on a network using static IP?
There's too many PCs on the network, it will be difficult for us to create filter for each IP/MAC.
03-06-2009 05:04 AM
If your boundary between dhcp and static is very clear (ie. 1-240 dhcp, 241-250 static), you can put an DAI ACL on the switches to ignore DAI for ips 241-250.
of course: if the boundary changes, you'll need to adjust the ACL.
However, if your dhcp scopes are not contigious or static ips are random, then it is a real pain in the b**tt to deploy DAI. For me this is one MAJOR disadvantage of DAI and has already led to several cancelled implementions.
A possible way to work around this is to use DHCP with option 82. You can then assign a dhcp address to a switch port. any device connected to that port, will always received the same dhcp ip address (sort of "static" address). this will remove the dai problems with statics....
Geert
03-09-2009 12:12 AM
Hi,
Colud you give more information about assigning dhcp address to a switch port?
How can we do this?
03-09-2009 07:28 AM
First, your DHCP server needs to support it.
Second, more info here
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gdhcpopt.html
03-12-2009 12:56 AM
Hi,
We have enabled DHCP snooping, there's no more problem when using DAI without the filter.
However, we couldn't configure the option 82, we don't know how to it.
We use the switch as DHCP server, and a show tells option82 is enabled.
When we test its functionnality by connecting 2 differents PC on one port, they got 2 different IP address.
We tried to configure "ip dhcp relay information check", the following error appear :
"Can't configure relay information option processing while DHCP snooping is enabled"
What should be added on the switch?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide