I am implementing some security features on our Cisco 2960 access switches and I am wondering if it is possible to share DHCP snooping database among multiple switches. I know that these switches store the DHCP snooping database primarily in their DRAM and use any remote database only when there is a need to relearn the entries - i.e. switch reboot. However, is there any way how to do it e.g. by storing the DHCP snooping bindings in a remote location and forcing the switches to read from the same file?
We would like to implement such a solution to allow wireless users roam from one access-point to another one, and effectively to another switch. If the users remain connected to access-points connected to the same switch, there is no problem as the switch will know their DHCP bindings and other features - e.g. IP source guard and dynamic ARP inspection will be able to use it. However, if the user walks to another floor and get's connected to another AP (while keeping the same IP/MAC), this functionality gets broken. Just for the record, we are using standalone Cisco APs, no centralized WLC. I would appreciate if you could share any ideas how to best approach this.
Thank you in advance!
I think the only solution is to go with Thin AP's coupled to a WLC Controller, or disable the dhcp snooping only for the wireless users vlan.
For the thin AP's working with a WLC controller, your users traffic would ha ve been encapsulated to the controller via the CAPWAP tunnel, and the WLC acts as a DHCP relay, so there is no DHCP Snooping issue. The WLC automaticaly manage the MAC address-IP address associations.
Hope this help,
Thank you for your comment! You're right, WLC would be the way to go, but that is not being planned at the moment. We have additional user authentication for the wireless network, so there should be at least some protection. Another solution would be connecting all the APs to the same switch. However, this is not feasible from the redundancy perspective.