DHCP Snooping and DAI stops DHCP Clients from receiving IPs
I've been having some issues for quite some time now regarding the implementation of DAI over DHCP Snooping in a dynamic environment. I've been searching for a thread/discussion that is remotely related to mine but unfortunately I wasn't able to find one so please excuse me if I didn't post in the right category.
The problem is as follows:
Giving 3 x 3560 (WS-C3560G-24TS-S) and a laptop I've tried enhancing the security by activating both DHCP Snooping and DAI. One of the 3560 is the DHCP Server, the second one is a "transit" switch and the third one is the "access" switch.
The configuration for the access and distribution switches, before implementing DAI, in order for the laptop to receive IP from the DHCP Server would be like this:
Put the laptop in access mode and in corresponding vlan
DHCP Snooping enabled for that certain VLAN on both access and distribution switches
Set the trunk that goes from access to distribution and the trunk from distribution to core as trusted
In this current setup the laptop is able to receive the IP and the rest of the DHCP Server information as planned.
If I enable DAI on the access switch no other laptops will be able to gain IP from the DHCP Server. Here are the steps used:
Enable DAI for the vlan that the new laptop will be connected to on both access and distribution switches (the ports on the access switch are all in the right vlan and manually access)
Set the trunk from access to distribution and the trunk from distribution as trust
After all this is set if a new laptop plugs in, DAI will not allow it to get the info from the DHCP Server.
I've been searching for answer for a while now and my logic, so far, is the following:
DAI is looking at DHCP Snooping DB and at ARP ACLs to allow that ARP packet to flow but since it's a new laptop and it hasn't got an entry in the DHCP Snooping DB and since it's a random laptop it can't have any entry in a manually configured ARP ACL, it will drop any ARP request from it and it won't be able to reach the DHCP Server to do the 4 steps.
Since I couldn't find a logical and a practical way to resolve this problem I'm asking for your advice and help into solving this issue.
Captive portal is an additional authentication step that can used for
both guests and authenticated users. Clients will see a special web page
for authentication purposes before they are allowed to use the internet
normally. Captive portal makes use of th...
ISA500 series small business integrated security appliances can be
accessed, monitored and managed remotely. The below articles will give
you an insight of remote administration settings on ISA500 series
devicesCisco OnPlus Settings on ISA500 Series Integ...
A VPN or Virtual Private Network is a secure network over an unsecure
environment like internet. The VPN allows the remote clients to access
the internal network resources (private network) over the Internet
(public). These are the most common VPN article...