cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
5
Helpful
3
Replies
Highlighted
Explorer

DHCP snooping and the snooping database.

DHCP Snooping best practice states to store the snooping database remotely in case of a catastrophic failure of the access switch.

 

We are getting ready to implement L2 security on our access switches (about 100 of them) and it seems that if we have each switch send its snooping database to a remote server we would have an administrative headache with all the files that are sent to the remote server.  So my questions is:

 

If we ignore the best practice to send the database file off the switch and instead store it in flash (I know flash is limited) and we have a failure of the switch thus losing the database file, won't the file get rebuilt when the switch is either powered back on or a new switch is installed - just like it got built when initially configured and activated?

 

If that is the case, then is the possibility of running out of flash memory the only reason to store the file off switch?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hey,

You may store the information in flash and yes it would survive the reboot just like the start-up configuration file however the term catastrophic failure points towards inaccessible flash or switch not powering up, in such cases snooping binding database will be lost.

Regarding your other concern, indeed running out of flash memory is one of the reasons as its a limited space; and i believe every snooping entry contains 72 bytes of data so i will leave this to your judgement as you are best person to know about how many DHCP entries will be on every box.

HTH.

Regards,

RS.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Hey,

You may store the information in flash and yes it would survive the reboot just like the start-up configuration file however the term catastrophic failure points towards inaccessible flash or switch not powering up, in such cases snooping binding database will be lost.

Regarding your other concern, indeed running out of flash memory is one of the reasons as its a limited space; and i believe every snooping entry contains 72 bytes of data so i will leave this to your judgement as you are best person to know about how many DHCP entries will be on every box.

HTH.

Regards,

RS.

View solution in original post

Highlighted

"If we ignore the best practice to send the database file off the switch and instead store it in flash (I know flash is limited) and we have a failure of the switch thus losing the database file, won't the file get rebuilt when the switch is either powered back on or a new switch is installed - just like it got built when initially configured and activated?"

I have partially the same question as the toppic starter, if we choose to enable DHCP snooping (with dynamic ARP inspection and source guard afterwards), will it be a problem to NOT store the snooping database somewhere (either on a remote server using tftp/ftp/scp/... or using flash).

When the switch fails and reboots, or gets replaced, won't it just re learn its binding database?

Side question, where does this database (the output of 'show ip dhcp snooping binding') is stored during the 'running phase' of the switch? In memory?

Highlighted

Hey,

Regarding your queries:

1. When the switch fails and reboots, or gets replaced, won't it just re learn its binding database? - It will relearn its binding database, however it will take more time when database is available on remote server as it populates binding entries immediately after bootup.

2. where does this database (the output of 'show ip dhcp snooping binding') is stored during the 'running phase' of the switch? In memory? - DRAM to be specific.

HTH.

Regards,

RS.

Content for Community-Ad