Solved: DHCP Snooping, DAI, IP source guard

Vinny · ‎11-07-2013

Hello,

I'm asking this based on your experience.

How many of you use DHCP Snooping , DAI and IP source guard in your network ? I want to make my network more secure and I was looking at this. When I was reading docs about this, everything seems wonderful but I'm sure problems will occurs as the time goes.

DHCP snooping seems pretty easy to configure but DAI and IP source guard seems to be more difficult.

Considering that :

1- I have a lot of vlans

2- Several desktops subnets

3- Several servers subnets

4- Some desktop use DHCP, some don't

5- VOIP vlan

So do you use this ? DAI and IP source guard seems to use DHCP snooping database. Will it make it difficult to use them if some desktops aren't using dhcp ? It seems I'll have a lot of static entries to do for static ip desktop. I'm not sure I want to do this.

Do you use these options only in desktops vlan ? Should I use it in VOIP vlan ? I'm sure you don't use this in servers vlans because you're not using DHCP and doing statics entries would be h-e-l-l.

So what's your recommendations about all this stuff ?

Thanks

rfalconer.sffcu · ‎11-07-2013

I enabled these on ~75 access switches at a recent refresh.

Only enable on vlans that use mostly DHCP. You can define which vlans participate and which don't.

Server subnets are generally static so there shouldn't be any need to use there.

VOIP shouldn't matter since that's typically all DHCP and I did use it for the voice vlans with no issue.

Trunks need to be trusted.

Instead of setting workstations to static addresses, you could set up reservations in DHCP for those machines. If they must stay static, it's going to be either static arp entries or trusting the interfaces.

When you enable these features, anything that isn't compliant is shown very quickly in logs. The detail is pretty good so it's easy to see what the problem is and how to fix it. There are a lot of messages generated with violations and they arrive quickly. If you 'term mon', it can be hard to fix them because the screen is constantly showing the log messages. 2 simultaneous sessions can be helpful so you can watch messages in one and fix things in the other.

View solution in original post

rfalconer.sffcu · ‎11-07-2013

I enabled these on ~75 access switches at a recent refresh.

Only enable on vlans that use mostly DHCP. You can define which vlans participate and which don't.

Server subnets are generally static so there shouldn't be any need to use there.

VOIP shouldn't matter since that's typically all DHCP and I did use it for the voice vlans with no issue.

Trunks need to be trusted.

Instead of setting workstations to static addresses, you could set up reservations in DHCP for those machines. If they must stay static, it's going to be either static arp entries or trusting the interfaces.

When you enable these features, anything that isn't compliant is shown very quickly in logs. The detail is pretty good so it's easy to see what the problem is and how to fix it. There are a lot of messages generated with violations and they arrive quickly. If you 'term mon', it can be hard to fix them because the screen is constantly showing the log messages. 2 simultaneous sessions can be helpful so you can watch messages in one and fix things in the other.

Vinny · ‎11-07-2013

thanks !

I think you're right. Best thing would be to switch all subnets to DHCP with reserved addresses for

workstations who need it.

I will look into this and planed this task.

Thanks again !