Having some issues with snooping and DAI. We run a collapsed core type setup with all cisco equipment. We have had both snooping and DAI setup on our access switches for some time now with no issues at all. Recently we decided to implement it on our core switch, just to satisfy security requirements that we have be avoiding for a while now. We do have access ports on the core, which I know isn't always normal, but this is why we are implementing it. Anyways, here are the commands I put in.
ip dhcp snooping ip dhcp snooping vlan 100,101 ip dhcp snooping trust (on all trunks and servers) no ip dhcp snooping information option ip arp inspection vlan 100,101 ip arp inspection trust (on all trunks and servers) When I first implemented this, everything worked, no issues at all. After a few days, we started having issues with vlan 101. This vlan is mostly thin clients that do PXE booting. The thin clients started to not pull images or even connect to the DHCP server to pull an IP address. Then not long after, the hard boxes started losing connection as well. I then took off DAI and snooping just for that vlan and everything started working fine.
Yesterday, vlan 100 started having issues. This vlan is more of a byod network. We just connect laptops and Microsoft surface pros to it. Some devices yesterday started losing connection, mostly devices going directly to the core. Then this morning, even more devices started having issues, including devices that get connection from the access layer switches. Took off snooping and DAI and everything started working fine.
I want to stress too that everything was working fine for days, and then slowly things stopped working.
One more detail to note, we do have a DHCP relay going to the DHCP server. This is done with our ASA via a router on a stick setup with intervlan routing. The ASA sits right above the Core switch and is connected over port channel with five 1gb links. This port channel is configured as a trusted port for both dhcp snooping and DAI.
So a few questions...
1.) The devices going straight to the core are connected with a media converted (fiber to cat5/6). Would these cause any issues? From my understanding media converters do not have any type of MAC to identify them, so I wouldnt think they would cause issues with any settings on the switch.
2.) Is there anything that needs to be done on the actual DHCP server to make things work correctly? The DHCP server is just a service running on Windows server in our data center, which is managed by our sysadmins.
3.) Are there any other commands I need to run. I used the same commands I have on the access switches, which have had no issues since setup.
No comments:
Post a Comment