cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5433
Views
15
Helpful
4
Replies

DHCP Snooping Database Agent

anthonysgroi
Level 1
Level 1

When is it necessary to use this(DHCP Snooping Database Agent)? We are looking at enabling DHCP snooping. We have WIN2k3 DHCP servers. I dont believe we need too.

I am following this document, thanks.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1109594

1 Accepted Solution

Accepted Solutions

Hey Anthony,

My original response is still applicable as it is part of the minimal configuration for DHCP snooping. The database agent ensures that database entries are restored after a restart or switchover you have to specify a place to store the binding database via the agent.

Now whether or not you can get away without using the command I'm not sure. I believe it's there for reason stated earlier ie restart/switchover. If it automatically stores the database in RAM, which I'm leaning towards since if a reboot occurs you would loose all of your bindings. Something to lab and test, but I would recommend using the minimal configuration and specifying a place to store the binding database in the event of a reload you don't loose your dhcp bindings.

Under your link or the link I'm posting there's a section that says "Minimum DHCP Snooping Configuration" you must do these steps at a minimum. There is also a few examples of where or how to use the agent to store the binding database.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1090479

HTH

Jonathan

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Anthony,

my understanding is that this DHCP Snooping Database Agent provides a common reference for router/switch redundancy:

if the primary fails, the one that takes over needs to find an updated state of DHCP associations or it will deny access to legitimate users.

Because to decide if a user is legitimate the device should have seen the DHCP request, forward it to the DHCP server and registers the association ip address, MAC address.

The router that has taken the role later can get this info only from a third party device: a file hosted somewhere.

So this can be useful if you have a classic campus design with a routed distribution and a L2 access layer and you want to be able to support redundancy and security features.

Hope to help

Giuseppe

jgreenwoodii
Level 1
Level 1

Hey Anthony,

When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces and the database can have up to 8192 bindings.

The ip dhcp snooping database command is an agent used to store the actual Binding Database either to your flash/NVRAM or a remote server such as a TFTP/FTP/RCP Server which you would preferably use rather than use up the limited storage capacity of your flash/NVRAM.

To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. Ultimately that decision is up to you but recognize that when dhcp snooping is enabled the binding database will grow and where it's stored is up you. The agent allows you to store the database to a suitable server.

HTH

Jonathan

Thank you, I think I should have been more specific. All we want to accomplish is a denying rouge DHCP server. Is you comment still applicable? what would the switch store this information?

Hey Anthony,

My original response is still applicable as it is part of the minimal configuration for DHCP snooping. The database agent ensures that database entries are restored after a restart or switchover you have to specify a place to store the binding database via the agent.

Now whether or not you can get away without using the command I'm not sure. I believe it's there for reason stated earlier ie restart/switchover. If it automatically stores the database in RAM, which I'm leaning towards since if a reboot occurs you would loose all of your bindings. Something to lab and test, but I would recommend using the minimal configuration and specifying a place to store the binding database in the event of a reload you don't loose your dhcp bindings.

Under your link or the link I'm posting there's a section that says "Minimum DHCP Snooping Configuration" you must do these steps at a minimum. There is also a few examples of where or how to use the agent to store the binding database.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1090479

HTH

Jonathan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: