[c-nsp] dai / dhcp snooping bug

Antoine Monnier mrantoinemonnier at gmail.com
Mon Aug 10 11:21:33 EDT 2015 

so, for my own understanding, are we saying unicast DHCP refresh is still
handled ok by the DHCP snooping feature?
Is it more a problem of DHCP server restart and/or switch reload?

Thanks!

On Mon, Aug 10, 2015 at 4:09 PM, Mike <mike-cisconsplist at tiedyenetworks.com>
wrote:

> On 08/10/2015 06:42 AM, A.L.M.Buxey at lboro.ac.uk wrote:
>
>> Hi,
>>
>> I've just now discovered a cli command - 'ip dhcp snooping binging
>>> ....' - which allows me to directly inject the needed information.
>>> This would solve my short term problem and let me get back to a
>>> reasonably well populated dhcp snooping table, but the question
>>> becomes, is this going to just be what I do if this issue crops up
>>> again or is there any configuration work I could do that would make
>>> the switch able to maintain this table itself?
>>>
>> IIRC you need to have the switch see the full original DHCP request
>> and not just the half-time refresh....which makes DAI quite painful
>> because if the switch has reloaded, then clients that stay up will end up
>> failing
>> UNLESS you save the state to flash before a reload.  static systems
>> on the ports also cause pain as they need to be added manually
>> (or you can turn off the security features for that port but then you're
>> opening
>> up attacks via that port....especially bad if its on the same VLAN as
>> the other protected ports!).
>>
>> ip dhcp snooping database    is the option for saving/recording the
>> translations
>> (flash, URL, TFTP etc)
>>
>> alan
>>
>> \
>>
>
> Actually, I have that already and yes it works and yes it reloaded the db
> when I reloaded when trying out the SE7 code. My issue is that due to some
> reason I still don't comprehend, the snooping database was seriously out of
> whack and the clients were only doing that half time refresh, which wasn't
> enough to let this ship right itself. Still trying to understand how this
> came to be.
>
> Thank you.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list