Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

single point problem of DHCP security feature

My network topo is attached.Pls see it.

There is two DHCP server connected to different core switch. Suppose PC1 get IP address from DHCP-SERVER-2,so only 4510-2 learn this and store it on DHCP snooping binding table.

So question is: If I enable ARP inspection on both 4510 and 4510-2 get problem, pc will lose connectivity because 4510-1 didn't learn the IP-MAC information.

I know that "ip arp inspection trust" under interface will work. But my access switch don't support ip arp inspection, for example, 2950. If I add "ip arp inspection trust" under interface connected switch will leave a security hole . Or I can define an ARP ACL . But there are so many PC on my network.

So I am in doubt why cisco can't synchronize DHCP snooping binding table between switch. If cisco can synchronize DHCP snooping binding table , it is a easy solution for me.

thanks!

1 REPLY
New Member

Re: single point problem of DHCP security feature

henry,

you are indeed correct, only other solution would be to manually update dhcp binding file on 4510-1 or create ARP access-list either way would be a pain. You can also consider port-security on switchports of 3500XL.

107
Views
0
Helpful
1
Replies
CreatePlease to create content