[OSL | CCIE_Security] DHCP Snooping in NON-DHCP Enviroment

Fri, 24 Aug 2012 04:56:59 -0700 



        

        

        Hi CCIE candidates


        

         


        

        In a non-DHCP enviroment we should skip all the DHCP snooping config 
part because we
have no DHCP snooping database. Then the arp inspection config should look like 
this:


        

        

        arp access-list ARP-LIST

        permit ip host 10.10.10.10 mac host 1111.2222.3333 (allow
non-dhcp client)

        !

        ip arp inspection filter ARP-LIST vlan 10 static (only validate against 
the ARP ACL)*


        

        

        * There is another option for the DAI filter and that is "static".
If we applied this argument to the command, DAI would only check the ARP ACL 
and not fallback
to the DHCP snooping database.


        

        

        My question is: 


        

        Should we use the "static" keyword when we use arp inspection in 
non-dhcp
enviroment? I think not....because we have no snooping database to fallback to. 
I think the
static keyword


        

        is only neeed in a mixed enviroment - i.e. an enviroment with both DHCP 
hosts and static
assigned hosts and with DHCP  snooping and DAI enabled. Please correct me if my
understanding is wrong....


        

         


        

        

        Peter Jørgensen



	In a non-DHCP enviroment we should skip all the DHCP snooping config part because we
have no DHCP snooping database. Then the arp inspection config should look like this:

	

	 arp access-list ARP-LIST      

	   permit ip host 10.10.10.10 mac host 1111.1111.1111   (allow non-dhcp client)

	 !

	 ip arp inspection filter ARP-LIST vlan 13 static  (only validate against the ARP ACL)*

	 ip arp inspection validate src-mac ip   (validate source mac and IP)

	

	

	* There is another option for the DAI filter and that is "static". If we applied
this argument to the command, DAI would only check the ARP ACL and not fallback to the DHCP
snooping database.



	

	My question is: 



	Should we use "static" when we use DHCP snooping in non-dhcp enviroment? I think
not....because we have no snooping database. I think the static keyword



	is only neeed in a mixed enviroment - i.e. an enviroment with both DHCP and static clients
and with snooping enable. Please correct me if I'm wrong....



	 



	

	Peter Jørgensen

	

	 
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com





















					Reply via email to