Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP Snooping and DAI stops DHCP Clients from receiving IPs


I've been having some issues for quite some time now regarding the implementation of DAI over DHCP Snooping in a dynamic environment. I've been searching for a thread/discussion that is remotely related to mine but unfortunately I wasn't able to find one so please excuse me if I didn't post in the right category.

The problem is as follows:

Giving 3 x 3560 (WS-C3560G-24TS-S) and a laptop I've tried enhancing the security by activating both DHCP Snooping and DAI. One of the 3560 is the DHCP Server, the second one is a "transit" switch and the third one is the "access" switch.

The topology would be similar to this:

Laptop -> 3560 (Access Switch) -> 3560 (Distribution SW) -> 3560 (Core Switch + DHCP Server)

The configuration for the access and distribution switches, before implementing DAI, in order for the laptop to receive IP from the DHCP Server would be like this:

  • Put the laptop in access mode and in corresponding vlan
  • DHCP Snooping enabled for that certain VLAN on both access and distribution switches
  • Disable option-82
  • Set the trunk that goes from access to distribution and the trunk from distribution to core as trusted

In this current setup the laptop is able to receive the IP and the rest of the DHCP Server information as planned.

If I enable DAI on the access switch no other laptops will be able to gain IP from the DHCP Server. Here are the steps used:

  • Enable DAI for the vlan that the new laptop will be connected to on both access and distribution switches (the ports on the access switch are all in the right vlan and manually access)
  • Set the trunk from access to distribution and the trunk from distribution as trust

After all this is set if a new laptop plugs in, DAI will not allow it to get the info from the DHCP Server.

I've been searching for answer for a while now and my logic, so far, is the following:

DAI is looking at DHCP Snooping DB and at ARP ACLs to allow that ARP packet to flow but since it's a new laptop and it hasn't got an entry in the DHCP Snooping DB and since it's a random laptop it can't have any entry in a manually configured ARP ACL, it will drop any ARP request from it and it won't be able to reach the DHCP Server to do the 4 steps.

Since I couldn't find a logical and a practical way to resolve this problem I'm asking for your advice and help into solving this issue.

Looking forward to your reply.

  • Small Business Security
Everyone's tags (4)