×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DHCP Snooping Database

Answered Question
Jan 25th, 2014
User Badges:
  • Purple, 4500 points or more

All,


If I had a dhcp database on a server and configured on the switch as a tftp location, what would the outcome be if one person on switch 1 moved to another jack on switch 3. Both ports that the user connects to on each switch are configured as untrusted. Technically, the user would have an entry in the database for switch 1: port number. Will that user be able to pass traffic through switch 3 when connected to it? I'm thinking no, unless the dhcp database allows for multiple entries for the same mac/ip address. I'm thinking more along the lines of a user leaving their office and then making a connection to a conference room. I don't want to trust all of these ports if not needed.


Also, how do you handle your dhcp database? Do you use a tftp server or flash? I was going to use flash, but the databases can't (possibly) be shared between switches outside of setting up a tftp server on one of them. Do you use external databases and how well do they work?


Thanks!

John

Correct Answer by Rolf Fischer about 3 years 6 months ago

I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.

Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.


I wonder what happens if the server becomes unavailable for some reason.


If I remember correctly, the switch will generate a syslog-message to inform about such conditions.

As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.


So I guess you can relax for the rest of the weekend ;-)


HTH

Rolf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Rolf Fischer Sat, 01/25/2014 - 09:29
User Badges:
  • Blue, 1500 points or more

John,

from my understanding, storing the dhcp snooping database on a server or the switch's flash is particulary important when you want to use additional security features which use the dhcp binding table as well, like DAI or IP Source Guard.

As dhcp snooping only avoids that clients acknowledge dhcp discovers/requests (like a DHCP server would do) and (optionally) DHCP starvation attacks, the existence or absence of an entry in the snooping binding talble would have any impact for normal client operation.

We used a tftp-server (CiscoWorks LMS, can't remember any problem) for the binding-table a couple of years ago because we also used DAI and IP Source Guard at that time and those features wouldn't allow client-operation without a binding table (e.g. after the reload of a switch).

Since we no longer use DAI /IPSG, we don't store the binding table any more.

HTH

Rolf

John Blakley Sat, 01/25/2014 - 11:49
User Badges:
  • Purple, 4500 points or more

Thanks Rolf. Yeah, I ended up configuring an scp server with Solarwinds and was able to finally get bindings. I have a few concerns for Monday though when people start coming in. I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server. I wonder what happens if the server becomes unavailable for some reason. I suspect that it will be okay since the bindings are also showing up in the switch.


John

Correct Answer
Rolf Fischer Sat, 01/25/2014 - 12:30
User Badges:
  • Blue, 1500 points or more

I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.

Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.


I wonder what happens if the server becomes unavailable for some reason.


If I remember correctly, the switch will generate a syslog-message to inform about such conditions.

As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.


So I guess you can relax for the rest of the weekend ;-)


HTH

Rolf

Actions

This Discussion