Has any new dhcp request happend since the setup? You could expired a dhcp entry and force the client to request its IP again. It might be that no new request has happened since the lease hasn't expired yet on the dhcp server.
Setup looks fine to me.
The reason there is no entry in the dhcp snooping bidning database after you have used the ip source binding - is because the ip source guard does not configure a static dhcp snooping entry in the snooping binding database. IP source guard is a slightly different technology that uses the dhcp snooping binding database - along with static bindings to prevent a malicious host from impersonating another host.
So there are 2 slightly different technologies here:
dhcp snooping =
- track the physical locations of ip addresses
- ensure only 'authorized' dhcp servers can issue ip addressing
- ensure that only the issued ip addressing can send traffic on a given port.
IP source guard ensures that only traffic from a specific ip address can be received on a particular port, and the ip address / port mapping information comes from 2 sources:
- dhcp snooping binding database
- static ip binding on a particular port.
To verify what ip addressing is 'permitted' to send traffic on a given port, use the command :
Maybe there is something I am not understanding...
I want to populate the dhcp snooping database of the switch, so I can enable DAI in the future. Unfortunately I have devices with static IP addresses.
My understanding was that if I enable DAI and all access ports are untrusted, then traffic will pass only for DHCP enabled hosts, which are in the database. Traffic of static IPs will be dropped, unless the port is trusted or the binding is manually entered in the database (that is what I am trying to do). Is this correct?
I do not want to enable IPSG yet.
To sum it up, I want to enable DAI on a mixed environment with DHCP enabled and static hosts. How do I populate the DHCP snooping database with static bindings?
I wanted to comment that the correct answer is that proposed by Mike, that utilizes the ARP ACL.
The other approach I tested with the manual entry in the database doesn't achieve the desired results and this is why.
If you manually enter a static binding and also have the database agent enabled, an entry is created in the database and is redirected to where the agent is pointing (tftp server or locally on switch). What happens if someone clears the dhcp snooping binding database? Then the entry is also deleted from where the database is stored. So in a few minutes, if DAI is enabled, connectivity to the static IP is lost!!!!! Same thing happens if switch is reloaded and it tries to load the bindings from the stored database. Since the static entry isn't present anymore, there is no connectivity to the device with the static IP!
So, as Mike said, ARP ACL is the only solution.
Hope this helps someone who wants an understanding of why static bindings won't work!
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.