Cisco Support Community
Community Member

static dhcp snooping entry


I have enabled dhcp snooping on a WS-C2960-24TC-L running c2960-lanbasek9-mz.122-50.SE5.bin.

A device with static IP is connected to this switch, so I created a manual entry in the dhcp snooping database with the command:

ip source binding 0080.A361.D027 vlan 1 interface Fa0/12

The dhcp snooping database shows no entry for this device!!!! (unfortunately I have only one device connected to this switch)

#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0


My configuration is as follows:

ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping

ip dhcp snooping trust  (on interface connected to the router and interfaces to downlink switches)


Any ideas why the dhcp snooping database is empty? Devices running DHCP do indeed populate the database!


Thank you in advance,



Community Member


kateria, Has any new dhcp request happend since the setup? You could expired a dhcp entry and force the client to request its IP again. It might be that no new request has happened since the lease hasn't expired yet on the dhcp server. Setup looks fine to me.

Hi, The reason there is no



The reason there is no entry in the dhcp snooping bidning database after you have used the ip source binding - is because the ip source guard does not configure a static dhcp snooping entry in the snooping binding database. IP source guard is a slightly different technology that uses the dhcp snooping binding database - along with static bindings to prevent a malicious host from impersonating another host.


So there are 2 slightly different technologies here:

dhcp snooping =

- track the physical locations of ip addresses

- ensure only 'authorized' dhcp servers can issue ip addressing

- ensure that only the issued ip addressing can send traffic on a given port.


IP source guard ensures that only traffic from a specific ip address can be received on a particular port, and the ip address / port mapping information comes from 2 sources:


- dhcp snooping binding database

- static ip binding on a particular port.


To verify what ip addressing is 'permitted' to send traffic on a given port, use the command :

show ip verify source interface [interface]


Very best wishes




Community Member

Maybe there is something I am

Maybe there is something I am not understanding...


I want to populate the dhcp snooping database of the switch, so I can enable DAI in the future. Unfortunately I have devices with static IP addresses.

My understanding was that if I enable DAI and all access ports are untrusted, then traffic will pass only for DHCP enabled hosts, which are in the database. Traffic of static IPs will be dropped, unless the port is trusted or the binding is manually entered in the database (that is what I am trying to do). Is this correct?

I do not want to enable IPSG yet.

To sum it up, I want to enable DAI on a mixed environment with DHCP enabled and static hosts. How do I populate the DHCP snooping database with static bindings?

Thank you in advance,



Hi Katerina, so you want to

Hi Katerina,


so you want to enable DAI in an environment where some hosts obtain ip via DHCP, and some via static addressing.

The way round this is to configure an ARP ACL - which is cisco's way of configuring a static binding, i.e.


arp access-list [name]

permit ip host [sender ip] mac host [sender mac]


then apply this to the vlan using the command

ip arp inspection filter [ARP ACL] vlan [vlan]


there is a link here explaining fully:


Very best wishes




Community Member

Thank you so much for your

Thank you so much for your reply and the link.

Another thing that I want to try and see if it works is this:

I manually added the static entry in the database (in enable mode, not configuration mode):

ip dhcp snooping binding 0080.a361.d027 vlan 1 interface fa0/12 expiry 4294967295

#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:80:A3:61:D0:27  infinite    dhcp-snooping   1     FastEthernet0/12
Total number of bindings: 1

I also enabled a dhcp database agent on the switch.

I now want to reload the switch to see what happens.



Community Member

Hi all! I wanted to comment

Hi all!


I wanted to comment that the correct answer is that proposed by Mike, that utilizes the ARP ACL.

The other approach I tested with the manual entry in the database doesn't achieve the desired results and this is why.

If you manually enter a static binding and also have the database agent enabled, an entry is created in the database and is redirected to where the agent is pointing (tftp server or locally on switch). What happens if someone clears the dhcp snooping binding database? Then the entry is also deleted from where the database is stored. So in a few minutes, if DAI is enabled, connectivity to the static IP is lost!!!!! Same thing happens if switch is reloaded and it tries to load the bindings from the stored database. Since the static entry isn't present anymore, there is no connectivity to the device with the static IP!


So, as Mike said, ARP ACL is the only solution.

Hope this helps someone who wants an understanding of why static bindings won't work!



CreatePlease to create content