08-25-2014 11:17 AM - edited 03-07-2019 08:31 PM
Ok, I have a project to remove DAI and DHCP snooping from 6500 switches and 3750e, 2960.
This a production site, DAI and DHCP is working but not working well for a while.
There are more than one dhcp server in the network.
Looking for help on how to get this complete correctly without breaking the whole network
08-25-2014 11:39 AM
i don't know what your configuration looks like but in regards to DHCP snooping i think you can start at the edge of the network, and turn it off on the switch, and move up from the edge.
is that what you're looking for?
08-25-2014 11:56 AM
Well I can paste the config from each device, just need to know what commands to issue
08-25-2014 12:15 PM
in that case i would turn dhcp snooping off globally:
?(config)#no ip dhcp snooping
there should be some "ip dhcp snooping trust" statements on interfaces i believe you can leave them if you plan on revisiting the dhcp snooping later.
arp inspection you should see arp inspection enabled on certian vlans.
"ip arp inspection vlan 1"
you would have to use "no ip arp inspection vlan 1"
to find it easy you can use
sh run | in ip arp inspection
you'll also have some interfaces with "ip arp inspection trust"
if you use "sh ip arp inspection interfaces | in Trusted" you'll see all of them.
you can remove the command.
i don't think you have too since you are planning on disabling it globally.
does that help?
08-25-2014 12:51 PM
well i found this
When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all
ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP
snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets
We dont do arp acl
Here is a little infor on the setup on 6500
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernetX/X yes unlimited
Port-channel yes unlimited
port config port-channel
ip arp inspection trust
ip dhcp snooping trust
2960 config
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:Q
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 1111:1111:1111 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
Port-channel yes yes unlimited
port config
interface Port-channel
ip arp inspection trust
ip dhcp snooping trust
08-25-2014 12:58 PM
HOLY CRAP!!
you're right i could have swore you needed to turn on DAI first when doing DHCP snooping and ARP Inspection.
i apologize profusely!
08-25-2014 01:01 PM
what does sh ip arp inspection show you?
is it enabled?
08-25-2014 01:08 PM
IP arp inspection is enable but not on all vlans, it seems ip arp inspection is turn on per vlan area
08-25-2014 01:16 PM
it is,
so you would do a "no ip arp inspection vlan #" for each vlan it's enabled for then "no ip dhcp snooping".
on ports connected to switches you should see "ip arp inspection trust" and ip dhcp snooping trust.
you can remove them if you want, are you planning on re-visiting arp inspection and dhcp snooping?
08-26-2014 06:28 AM
I am going to config the network again for this but i want to remove all of the old config.
Then later reconfig the network and change the dhcp to only one server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide