design guides for DHCP snooping and Dynamic ARP inspection for IOS?

wags · ‎07-26-2024

Does anyone know/have links to design/engineering guides for DHCP snooping and Dynamic ARP inspection for IOS? I've found implementation guides which don't seem terribly in depth.

Environment is metropolitan/campus area network with over 1000 L2 switches from tiny single 3Ks, 3K and 9K stacks, and large 9K chassis and about 40 devices doing L3. The network is generally configured in core/distribution/access with plenty of the typical real life poor design, but dollar prudent, exceptions. The decision has been made that we will turn on snooping, which seems okay, and DAI, which seems like a can of worms.

I have a couple understanding and configuring guides. The guides generally say things like this is the default values and you can change them. Unfortunately they seem to tell you little about under what situation you would change defaults, and about the resources consumption and how to calculate impact of the default or altered settings. They have provided some good "food for thought", but don't seem terribly in depth on design considerations, especially what might bite you.

I anticipate that some of this will be platform and hardware specific. For example: I see this bug about dual supervisors: https://bst.cisco.com/quickview/bug/CSCvu59720 but I've not found a design guide on snooping and DAI for dual supervisors switches.

Also, what about design considerations for stacks? They kind of play like multiple supervisor machines.

Discussion and especially links appreciated.

marce1000 · ‎07-26-2024

- FYI : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

wags · ‎07-26-2024

Marce1000. thanks, that is one of the guides I am eluding to when I say: I have a couple understanding and configuring guides. Decent guide but could use something more in depth.

MHM Cisco World · ‎07-26-2024

It hard task I will give you some points here' and remember there is many limitations in snooping and DAI for each platform' so

1- run dhcp snooping and DAI only in access SW no need to run it on core or distribute SW

2- some dhcp server is not accpet op82 which by defualt add when you run dhcp snooping so disable add this Op82 in access SW

3- server or printer or any static IP device need manual entry to dhcp snooping table otherwise DAI will drop traffic to these devices

Goodluck

MHM

wags · ‎07-26-2024

Thanks MHM.

We have the same opinions as you in our shop. But those real life exceptions I mention will require at least a couple VLANs being snooped and DAIed on the cores. You know, SCADA type things for the UPS and generator come to mind.

Option 82. We have it off. I read somewhere that it was one of the most confusing things Cisco ever added to IOS.

MHM Cisco World · ‎07-28-2024

If the device connect to Core have static route and always connect to same port so no need dhcp snooping and DAI instead use only port secuirty.

Thay my opinion.

No need complex config.

MHM

balaji.bandi · ‎07-28-2024

Looking at the use case, why not deploy 802.1x in the environment - to manage large infrastructure easy using centralised identity system.

Looking at your query DHCP snooping and Dynamic ARP inspection - you mean to say your DHCP Server on cisco IOS, by looking at your deployment size, i would suggest to have external DHCP Server your choice ( MS or Linux based suggested here)

DHCP Snooping gives a Cisco switch the ability to control where a DHCP Reply can come from. Any DHCP server traffic such as a Reply, ACK or NACK is only permitted from a trusted port. On untrusted ports, only DHCP Requests are permitted.

DHCP Snooping, DAI also utilizes the concept of trusted ports. On trusted ports, no ARP Inspection is performed. By default on cisco switches all the ports are considered untrusted ports, Only trusted ports must be manually configured. Like DHCP Snooping, the trust boundary should lie at host-connected ports, therefore DAI should be enabled at the access layer. Trusts should only be configured on links to other switches and the distribution layer.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

wags · ‎07-29-2024

Balaji,
Thank you for your response.

-We've been 802.1x for about a decade. DHCP snooping and DAI are happening, even if we're not thrilled with DAI.
-Our DHCP is server base, not IOS based.

-We understand the basic concept of snooping and DAI and associated trusted interfaces. We're looking for more in depth design considerations in general and more specifically:
+How to tune rate limits ARP in the presences of (sound like Titanium) end point products that apparently spew ARP requests looking to discover endpoints on the subnet? What are the implications of the default PPS and changing the default?
+Keeping the snooping DB backup in flash vs offloaded (using the insecure TFTP and FTP methods offered)?
+Dual supervisor implications especially if keeping the snooping DB backup locally on flash, or not backing it up at all?

MHM Cisco World · ‎07-30-2024

+How to tune rate limits ARP in the presences of (sound like Titanium) end point products that apparently spew ARP requests looking to discover endpoints on the subnet? What are the implications of the default PPS and changing the default?

I check this point yesterday

PPS by defualt 15 on untrust port and that good dont change it

For trust there is no limit

MHM

wags · ‎07-30-2024

For others who may drop in on this thread because of similar questions, the most complete data we've recently found is for the cat 9300, IOS 17.6x here. However, it seems to still leaves questions about dual sups and binding backups on flash, since TFTP is an ultimate security concern and FTP is only marginally better. Sorry had wrong URL.

MHM Cisco World · ‎07-30-2024

I check this point also' cisco recommends get some backup in server' if yoh see tftp is not secure try use scp.

MHM