DHCP Snooping and ARP inspection are two fantastic little layer 2 security features. I won’t go into the configuration since they has been described quite well in lots of other blogs.
ARP inspection relies on the DHCP binding table that DHCP snooping builds on the switch. Since this is lost if the switch reboots, hosts would need to re-DHCP in order to be able to send ARPs out. A nice fix for this is to backup the binding table to a TFTP server like so:
ip dhcp snooping database tftp://10.10.10.10/mydhcptable <-name of the file to be saved; needs be unique for each switch
When I first enabled this I got the following error message:
%DHCP_SNOOPING-4-AGENT_OPERATION_FAILED: DHCP snooping binding transfer failed. Unable to access URL.
The Cisco documentation for this error lists several causes, but none of them seemed to apply to my situation. After much searching around, it seems that the file needed to be created on the TFTP server first. I created a text file and uploaded it to the TFTP server and then tried to enable the binding backup again and got this message:
%DHCP_SNOOPING-4-AGENT_OPERATION_FAILED: DHCP snooping binding transfer failed. Expected more data on read
Before I could even start to look this one up I then saw this:
%DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Write succeeded
I did a TFTP get of the file from the server and sure enough, it had a list of MAC address to IP bindings.
Use caution when enabling these features on a production network. I enabled them first on a test switch and tried out a few scenarios to see the results.
Links:
http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
Must Be The Network 
Leave a comment