To help myself better understand private VLANs I created the following picture:

As mentioned in my previous post, here are my notes on DAI.

To enable DAI all is needed is 1 command:  (config)#ip arp inspection vlan <num> HOWEVER there is so much behind this simple command it is scary.

Unless additional parameters are configured DAI uses the DHCP snooping bindings table to know what IP-to-MAC-to-Interface mappings are permitted.  Here is a copy of my DHCP snooping table on my home switch:

daxm-home-switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:1E:90:EC:61:7A   192.168.1.39     2747        dhcp-snooping   1     FastEthernet1/0/1
00:22:68:15:74:1E   192.168.1.18     3528        dhcp-snooping   1     FastEthernet1/0/4
00:50:56:00:00:01   192.168.1.34     3003        dhcp-snooping   1     FastEthernet1/0/1
Total number of bindings: 3

daxm-home-switch#

DHCP snooping seems to me to be a strange security enhancement. Though I do agree that securing against a rogue DHCP server is important the way Cisco implements it is odd.

In order for DHCP snooping to work at least 3 configurations are  needed:

1) Enable DHCP snooping on the switch — (config)#ip dhcp snooping

2) All ports are “untrusted” by default.  Specify which port are “trusted”.  A trusted interfaces consist of interfaces along the path to the DHCP server.  So, trunk ports and the actual port connecting to the DHCP server need to be configured as trusted ports.  — (config-if)#ip dhcp snooping trust

3) Identify which VLANs DHCP snooping will monitor. — (config)#ip dhcp snooping vlan <num>

4) (Optional?)  After configuring the above commands in my local (home) network I noticed that my DHCP requests were not being answered.  Thanks to a buddy of mine (Thanks Walt!) he showed me that the DHCP snooping process was adding Option 82 to my DHCP requests by default.  Apparently my DHCP server didn’t like that option because as soon as I disabled Option 82 from being sent my DHCP requests were being answered. — (config)#no ip dhcp snooping information option

A quick note on VLANs traversing trunk links between switches:

Even though VLANs 1-4094 are allowed, by default, across a trunk link the remote switch will NOT process the encapsulated frame if that switch is not made aware of the incoming VLAN tag.

Therefore, ALL switches within a broadcast domain need to be made aware of ALL VLANs that will/can traverse their trunked ports.