Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
5
Helpful
4
Replies

DHCP Snooping Database

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎01-25-2014 06:37 AM - edited ‎03-07-2019 05:47 PM

All,

If I had a dhcp database on a server and configured on the switch as a tftp location, what would the outcome be if one person on switch 1 moved to another jack on switch 3. Both ports that the user connects to on each switch are configured as untrusted. Technically, the user would have an entry in the database for switch 1: port number. Will that user be able to pass traffic through switch 3 when connected to it? I'm thinking no, unless the dhcp database allows for multiple entries for the same mac/ip address. I'm thinking more along the lines of a user leaving their office and then making a connection to a conference room. I don't want to trust all of these ports if not needed.

Also, how do you handle your dhcp database? Do you use a tftp server or flash? I was going to use flash, but the databases can't (possibly) be shared between switches outside of setting up a tftp server on one of them. Do you use external databases and how well do they work?

Thanks!

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rolf Fischer
Level 9
Level 9
In response to John Blakley

‎01-25-2014 12:30 PM 

 I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.

Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.

I wonder what happens if the server becomes unavailable for some reason.

If I remember correctly, the switch will generate a syslog-message to inform about such conditions.

As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.

So I guess you can relax for the rest of the weekend ;-)

HTH

Rolf

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rolf Fischer
Level 9
Level 9

‎01-25-2014 09:29 AM

John,

from my understanding, storing the dhcp snooping database on a server or the switch's flash is particulary important when you want to use additional security features which use the dhcp binding table as well, like DAI or IP Source Guard.

As dhcp snooping only avoids that clients acknowledge dhcp discovers/requests (like a DHCP server would do) and (optionally) DHCP starvation attacks, the existence or absence of an entry in the snooping binding talble would have any impact for normal client operation.

We used a tftp-server (CiscoWorks LMS, can't remember any problem) for the binding-table a couple of years ago because we also used DAI and IP Source Guard at that time and those features wouldn't allow client-operation without a binding table (e.g. after the reload of a switch).

Since we no longer use DAI /IPSG, we don't store the binding table any more.

HTH

Rolf

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Rolf Fischer

‎01-25-2014 11:49 AM

Thanks Rolf. Yeah, I ended up configuring an scp server with Solarwinds and was able to finally get bindings. I have a few concerns for Monday though when people start coming in. I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server. I wonder what happens if the server becomes unavailable for some reason. I suspect that it will be okay since the bindings are also showing up in the switch.

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Rolf Fischer
Level 9
Level 9
In response to John Blakley

‎01-25-2014 12:30 PM 

 I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.

Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.

I wonder what happens if the server becomes unavailable for some reason.

If I remember correctly, the switch will generate a syslog-message to inform about such conditions.

As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.

So I guess you can relax for the rest of the weekend ;-)

HTH

Rolf

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Rolf Fischer

‎01-25-2014 12:33 PM

Thanks Rolf

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card