I have a LAN environment with roughly 4000 end devices that utilized DHCP. At the core we have two 6500 series route-switches with sup-720s, a distribution layer with 4000 series switches, and either 3560 or 2950 access series switches at the edge.
We have a need to protect the environment from rouge DHCP servers, so I deployed DHCP snooping in the following fashion. On one core box that also has the DHCP servers directly connected I configured DHCP snooping for four /24 networks and trusted the ports to the DHCP servers. On the other core box I configured DHCP snooping for the same four networks and only trusted the trunks to the other core. At the distribution layer I again configured DHCP snooping for the same four networks and trusted the uplinks to the core.
I observed the following behavior:
- The CPU utilization on the 6500's went from 1-3% to 80-99% utilization and sustained that same level for more than 15 minutes.
- Two processes DHCP snooping and IP input were causing the spike
- If I disabled DHCP snooping on either core box the CPU of the box would immediately settle to 1-3%
- When I disabled DHCP snooping on one 6500 the other core boxes' CPU would also drop to 1-10%
- If I added DHCP snooping rate limiting to 200 pps on the interface it would shut the interface down (expected behavior, but not sure if I should expect 200 pps or how to better calculate expectations)
- The distribution switches CPU went from 3-6% to 25-35%
- I seem to also recall that one distribution switch was not building any bindings
1.) Are these expected results of deploying DHCP snooping?
2.) What are the limits on the quantity of traffic inspected? Obviously the CPU has to process these packets but what is an equation to find out how much traffic I can inspect per platform?
3.) Why would removing the DHCP snooping process on one core switch cause the second switches CPU load to be reduced?
4.) How do you go about estimating an expected DHCP request per second variable?