Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with remove Dynamic Arp Inspection and DHCP snooping

Ok, I have a project to remove DAI and DHCP snooping from 6500 switches and 3750e, 2960. 

This a production site, DAI and DHCP is working but not working well for a while. 

There are more than one dhcp server in the network. 
 

Looking for help on how to get this complete correctly without breaking the whole network

 

Everyone's tags (1)
9 REPLIES

i don't know what your

i don't know what your configuration looks like but in regards to DHCP snooping i think you can start at the edge of the network, and turn it off on the switch, and move up from the edge.

is that what you're looking for?

New Member

Well I can paste the config

Well I can paste the config from each device, just need to know what commands to issue 

in that case i would turn

in that case i would turn dhcp snooping off globally:

?(config)#no ip dhcp snooping

there should be some "ip dhcp snooping trust" statements on interfaces i believe you can leave them if you plan on revisiting the dhcp snooping later.

arp inspection you should see arp inspection enabled on certian vlans.

"ip arp inspection vlan 1"

you would have to use "no ip arp inspection vlan 1"

to find it easy you can use

sh run | in ip arp inspection

you'll also have some interfaces with "ip arp inspection trust"

if you use "sh ip arp inspection interfaces | in Trusted" you'll see all of them.

you can remove the command.

i don't think you have too since you are planning on disabling it globally.

does that help?

New Member

well i found this When DHCP

well i found this 

When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all 
ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP 
snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets

We dont do arp acl 

Here is a little infor on the setup on 6500 

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y

Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernetX/X          yes         unlimited

Port-channel                     yes         unlimited

port config port-channel 

ip arp inspection trust
 ip dhcp snooping trust

2960 config 

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:Q

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 1111:1111:1111 (MAC)

Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Port-channel              yes        yes             unlimited

 

port config 

interface Port-channel

ip arp inspection trust

ip dhcp snooping trust

 

 

HOLY CRAP!!you're right i

HOLY CRAP!!

you're right i could have swore you needed to turn on DAI first when doing DHCP snooping and ARP Inspection.

i apologize profusely!

 

 

 

what does sh ip arp

what does sh ip arp inspection show you?

is it enabled?

New Member

IP arp inspection is enable

IP arp inspection is enable but not on all vlans, it seems ip arp inspection is turn on per vlan area 

it is,so you would do a "no

it is,

so you would do a "no ip arp inspection vlan #" for each vlan it's enabled for then "no ip dhcp snooping".

on ports connected to switches you should see "ip arp inspection trust" and ip dhcp snooping trust.

you can remove them if you want, are you planning on re-visiting arp inspection and dhcp snooping?

 

New Member

I am going to config the

I am going to config the network again for this but i want to remove all of the old config.  

Then later reconfig the network and change the dhcp to only one server

548
Views
0
Helpful
9
Replies
CreatePlease login to create content