[c-nsp] dai / dhcp snooping bug

Mike mike-cisconsplist at tiedyenetworks.com
Mon Aug 10 10:09:11 EDT 2015


On 08/10/2015 06:42 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> I've just now discovered a cli command - 'ip dhcp snooping binging
>> ....' - which allows me to directly inject the needed information.
>> This would solve my short term problem and let me get back to a
>> reasonably well populated dhcp snooping table, but the question
>> becomes, is this going to just be what I do if this issue crops up
>> again or is there any configuration work I could do that would make
>> the switch able to maintain this table itself?
> IIRC you need to have the switch see the full original DHCP request
> and not just the half-time refresh....which makes DAI quite painful
> because if the switch has reloaded, then clients that stay up will end up failing
> UNLESS you save the state to flash before a reload.  static systems
> on the ports also cause pain as they need to be added manually
> (or you can turn off the security features for that port but then you're opening
> up attacks via that port....especially bad if its on the same VLAN as
> the other protected ports!).
>
> ip dhcp snooping database    is the option for saving/recording the translations
> (flash, URL, TFTP etc)
>
> alan
>
> \

Actually, I have that already and yes it works and yes it reloaded the 
db when I reloaded when trying out the SE7 code. My issue is that due to 
some reason I still don't comprehend, the snooping database was 
seriously out of whack and the clients were only doing that half time 
refresh, which wasn't enough to let this ship right itself. Still trying 
to understand how this came to be.

Thank you.




More information about the cisco-nsp mailing list