01-25-2014 06:37 AM - edited 03-07-2019 05:47 PM
All,
If I had a dhcp database on a server and configured on the switch as a tftp location, what would the outcome be if one person on switch 1 moved to another jack on switch 3. Both ports that the user connects to on each switch are configured as untrusted. Technically, the user would have an entry in the database for switch 1: port number. Will that user be able to pass traffic through switch 3 when connected to it? I'm thinking no, unless the dhcp database allows for multiple entries for the same mac/ip address. I'm thinking more along the lines of a user leaving their office and then making a connection to a conference room. I don't want to trust all of these ports if not needed.
Also, how do you handle your dhcp database? Do you use a tftp server or flash? I was going to use flash, but the databases can't (possibly) be shared between switches outside of setting up a tftp server on one of them. Do you use external databases and how well do they work?
Thanks!
John
Solved! Go to Solution.
01-25-2014 12:30 PM
I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.
Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.
I wonder what happens if the server becomes unavailable for some reason.
If I remember correctly, the switch will generate a syslog-message to inform about such conditions.
As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.
So I guess you can relax for the rest of the weekend ;-)
HTH
Rolf
01-25-2014 09:29 AM
John,
from my understanding, storing the dhcp snooping database on a server or the switch's flash is particulary important when you want to use additional security features which use the dhcp binding table as well, like DAI or IP Source Guard.
As dhcp snooping only avoids that clients acknowledge dhcp discovers/requests (like a DHCP server would do) and (optionally) DHCP starvation attacks, the existence or absence of an entry in the snooping binding talble would have any impact for normal client operation.
We used a tftp-server (CiscoWorks LMS, can't remember any problem) for the binding-table a couple of years ago because we also used DAI and IP Source Guard at that time and those features wouldn't allow client-operation without a binding table (e.g. after the reload of a switch).
Since we no longer use DAI /IPSG, we don't store the binding table any more.
HTH
Rolf
01-25-2014 11:49 AM
Thanks Rolf. Yeah, I ended up configuring an scp server with Solarwinds and was able to finally get bindings. I have a few concerns for Monday though when people start coming in. I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server. I wonder what happens if the server becomes unavailable for some reason. I suspect that it will be okay since the bindings are also showing up in the switch.
John
01-25-2014 12:30 PM
I noticed that the dhcp binding is still listed in the switch even though it writes the binding to the database at the server.
Right, the binding file on the server is only kind of a backup which will be loaded by the switch after a switch-reload.
I wonder what happens if the server becomes unavailable for some reason.
If I remember correctly, the switch will generate a syslog-message to inform about such conditions.
As long as the switch doesn't reload, no problem at all. And as long as you don't enable DAI and/or IPSG I wouldn't even expect any problem after a reload. To my best knowledge, missing entries in the binding table shouldn't have any impact for clients on untrusted interfaces if you only enabled dhcp snooping.
So I guess you can relax for the rest of the weekend ;-)
HTH
Rolf
01-25-2014 12:33 PM
Thanks Rolf
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide