Solved: Hey,You may store the

jkeeffe · ‎07-15-2014

DHCP Snooping best practice states to store the snooping database remotely in case of a catastrophic failure of the access switch.

We are getting ready to implement L2 security on our access switches (about 100 of them) and it seems that if we have each switch send its snooping database to a remote server we would have an administrative headache with all the files that are sent to the remote server. So my questions is:

If we ignore the best practice to send the database file off the switch and instead store it in flash (I know flash is limited) and we have a failure of the switch thus losing the database file, won't the file get rebuilt when the switch is either powered back on or a new switch is installed - just like it got built when initially configured and activated?

If that is the case, then is the possibility of running out of flash memory the only reason to store the file off switch?

Rajeev Sharma · ‎07-15-2014

Hey,

You may store the information in flash and yes it would survive the reboot just like the start-up configuration file however the term catastrophic failure points towards inaccessible flash or switch not powering up, in such cases snooping binding database will be lost.

Regarding your other concern, indeed running out of flash memory is one of the reasons as its a limited space; and i believe every snooping entry contains 72 bytes of data so i will leave this to your judgement as you are best person to know about how many DHCP entries will be on every box.

HTH.

Regards,

RS.

View solution in original post

Rajeev Sharma · ‎07-15-2014

Hey,

You may store the information in flash and yes it would survive the reboot just like the start-up configuration file however the term catastrophic failure points towards inaccessible flash or switch not powering up, in such cases snooping binding database will be lost.

Regarding your other concern, indeed running out of flash memory is one of the reasons as its a limited space; and i believe every snooping entry contains 72 bytes of data so i will leave this to your judgement as you are best person to know about how many DHCP entries will be on every box.

HTH.

Regards,

RS.

guy tec · ‎09-15-2014

"If we ignore the best practice to send the database file off the switch and instead store it in flash (I know flash is limited) and we have a failure of the switch thus losing the database file, won't the file get rebuilt when the switch is either powered back on or a new switch is installed - just like it got built when initially configured and activated?"

I have partially the same question as the toppic starter, if we choose to enable DHCP snooping (with dynamic ARP inspection and source guard afterwards), will it be a problem to NOT store the snooping database somewhere (either on a remote server using tftp/ftp/scp/... or using flash).

When the switch fails and reboots, or gets replaced, won't it just re learn its binding database?

Side question, where does this database (the output of 'show ip dhcp snooping binding') is stored during the 'running phase' of the switch? In memory?

Rajeev Sharma · ‎09-15-2014

Hey,

Regarding your queries:

1. When the switch fails and reboots, or gets replaced, won't it just re learn its binding database? - It will relearn its binding database, however it will take more time when database is available on remote server as it populates binding entries immediately after bootup.

2. where does this database (the output of 'show ip dhcp snooping binding') is stored during the 'running phase' of the switch? In memory? - DRAM to be specific.

HTH.

Regards,

RS.

stayd · ‎02-15-2023

Hi,

if I have the stack of 9300 with 2 and more switches and I configured something like this:
ip dhcp snooping database flash:dsnoopdb

and then I checked how file systems was modified after this configuration and I see file created on active member:

switch#dir flash:dsnoopdbf
Directory of flash:/dsnoopdb

409604 -rw- 47 XXX XX XXXX XX:XX:XX X0X:00 dsnoopdb

11353194496 bytes total (9493524480 bytes free)

but I do not see it in standby member or any other members ...

switch#dir stby-flash:dsnoopdb
%Error opening flash-2:/dsnoopdb (No such file or directory)

so it takes me to question what can I expect after these situations ?

1) manualy switch-failover to current standby member or similarly active member unexpectly died, standby becomes active and remains

2) reboot of stack where through election process for any reason becomes active that member switch which was not active before reload or power outtage, but that box which was active and where I saw db file stored in flash: is normally part of stack but not active just standby or member (maybe box was not powered on during election process for example ... or simply died and needs RMA)

How does Cisco work with this ?

DHCP snooping and the snooping database.