Help with remove Dynamic Arp Inspection and DHCP snooping

Adam Coombs · ‎08-25-2014

Ok, I have a project to remove DAI and DHCP snooping from 6500 switches and 3750e, 2960.

This a production site, DAI and DHCP is working but not working well for a while.

There are more than one dhcp server in the network.

Looking for help on how to get this complete correctly without breaking the whole network

christopher jardine · ‎08-25-2014

i don't know what your configuration looks like but in regards to DHCP snooping i think you can start at the edge of the network, and turn it off on the switch, and move up from the edge.

is that what you're looking for?

Adam Coombs · ‎08-25-2014

Well I can paste the config from each device, just need to know what commands to issue

christopher jardine · ‎08-25-2014

in that case i would turn dhcp snooping off globally:

?(config)#no ip dhcp snooping

there should be some "ip dhcp snooping trust" statements on interfaces i believe you can leave them if you plan on revisiting the dhcp snooping later.

arp inspection you should see arp inspection enabled on certian vlans.

"ip arp inspection vlan 1"

you would have to use "no ip arp inspection vlan 1"

to find it easy you can use

sh run | in ip arp inspection

you'll also have some interfaces with "ip arp inspection trust"

if you use "sh ip arp inspection interfaces | in Trusted" you'll see all of them.

you can remove the command.

i don't think you have too since you are planning on disabling it globally.

does that help?

Adam Coombs · ‎08-25-2014

well i found this

When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all
ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP
snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets

We dont do arp acl

Here is a little infor on the setup on 6500

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y

Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled

Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernetX/X yes unlimited

Port-channel yes unlimited

port config port-channel

ip arp inspection trust
ip dhcp snooping trust

2960 config

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:Q

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 1111:1111:1111 (MAC)

Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------

Port-channel yes yes unlimited

port config

interface Port-channel

ip arp inspection trust

ip dhcp snooping trust

christopher jardine · ‎08-25-2014

HOLY CRAP!!

you're right i could have swore you needed to turn on DAI first when doing DHCP snooping and ARP Inspection.

i apologize profusely!

christopher jardine · ‎08-25-2014

what does sh ip arp inspection show you?

is it enabled?

Adam Coombs · ‎08-25-2014

IP arp inspection is enable but not on all vlans, it seems ip arp inspection is turn on per vlan area

christopher jardine · ‎08-25-2014

it is,

so you would do a "no ip arp inspection vlan #" for each vlan it's enabled for then "no ip dhcp snooping".

on ports connected to switches you should see "ip arp inspection trust" and ip dhcp snooping trust.

you can remove them if you want, are you planning on re-visiting arp inspection and dhcp snooping?

Adam Coombs · ‎08-26-2014

I am going to config the network again for this but i want to remove all of the old config.

Then later reconfig the network and change the dhcp to only one server