Filter
Top Products
Snooping and Inspecting Traffic 885
re-enable the port. DAI rate limiting cannot be enabled on trusted interfaces.
Use the no ip arp inspection limit command to disable diagnostic disabling
of untrused ports due to DAI.
Why Is Traffic Snooping and Inspection Necessary?
DHCP Snooping, IPSG, and DAI are security features that can help protect
the switch and the network against various types of accidental or malicious
attacks. It might be a good idea to enable these features on ports that provide
network access to hosts that are in physically unsecured locations or if
network users connect nonstandard hosts to the network.
For example, if an employee unknowingly connects a workstation to the
network that has a DHCP server, and the DHCP server is enabled, hosts that
attempt to acquire network information from the legitimate network DHCP
server might obtain incorrect information from the rogue DHCP server.
However, if the workstation with the rogue DHCP server is connected to a
port that is configured as untrusted and is a member of a DHCP Snooping-
enabled VLAN, the port discards the DHCP server messages.
Default Traffic Snooping and Inspection Values
DHCP snooping is disabled globally and on all VLANs by default. Ports are
untrusted by default.
Table 27-1. Traffic Snooping Defaults
Parameter Default Value
DHCP snooping mode Disabled
DHCP snooping VLAN mode Disabled on all VLANs
Interface trust state Disabled (untrusted)
DHCP logging invalid packets Disabled
DHCP snooping rate limit 15 packets per second
DHCP snooping burst interval 1 second
DHCP snooping binding database
storage
Local
DHCP snooping binding database
write delay
300 seconds