[c-nsp] dai / dhcp snooping bug

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Aug 10 09:42:23 EDT 2015


> I've just now discovered a cli command - 'ip dhcp snooping binging
> ....' - which allows me to directly inject the needed information.
> This would solve my short term problem and let me get back to a
> reasonably well populated dhcp snooping table, but the question
> becomes, is this going to just be what I do if this issue crops up
> again or is there any configuration work I could do that would make
> the switch able to maintain this table itself?

IIRC you need to have the switch see the full original DHCP request
and not just the half-time refresh....which makes DAI quite painful
because if the switch has reloaded, then clients that stay up will end up failing
UNLESS you save the state to flash before a reload.  static systems
on the ports also cause pain as they need to be added manually 
(or you can turn off the security features for that port but then you're opening
up attacks via that port....especially bad if its on the same VLAN as
the other protected ports!).  

ip dhcp snooping database    is the option for saving/recording the translations
(flash, URL, TFTP etc)


More information about the cisco-nsp mailing list