cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
790
Views
5
Helpful
4
Replies

DHCP Snooping Questions

pjbarnhill
Level 4
Level 4

Hello,

I am looking into deploying DHCP Snooping along with IP Source Guard and Dynamic ARP Inspection across our access switches later this year as part of a project to improve overall network security. I have successfully been running this in our test site with no issues, but I have some questions that are hard to test with only a few devices connected. For reference, most of our switches are 3750s in stacks of 5 or more.

  • How much of an impact do these features have on the CPU load?
  • If the stack master goes down, what happens to the DHCP binding database? Will all devices lose connectivity until they renew their leases to build a new table?
  • Part of the documentation refers to the database agent to store the binding database somewhere. What is the advantage of doing this? I know it says the switch will copy the database back from wherever its stored if it reboots, but won't it just rebuild the database anyway as the devices renew their IPs as the switch comes back up?
  • If the stack master going down will cause a problem, will having the database agent allow the new master to read the database from somewhere, thus allieviating any problems?


Thanks for any information you can provide

4 Replies 4

pjbarnhill
Level 4
Level 4

Any ideas at all?

Hello,

I can try to provide some of the answers but please take this all to be just my personal opinion on the stuff.

How much of an impact do these features have on the CPU load? 

I would say that this depends strongly on the number of DHCP and ARP messages but I would personally guess that in a network with a reasonable number of these messages being generated, the impact is negligible. The IP Source Guard is, in my personal opinion, a hardware-assisted feature (similar to port security) and thus does not affect the CPU operation at all.

If the stack master goes down, what happens to the DHCP binding 
database? Will all devices lose connectivity until they renew their 
leases to build a new table?

Yes, I believe you are correct. As the DHCP binding database is maintained on the stack master (according to the documentation), the loss of the stack master probably will result in existing bindings to age out. The new stack master will then start building the DHCP snooping database from scratch, using the newly received DHCP messages. Because the DAI and IPSG features depend on the DHCP snooping database contents, this failover process may impact the connectivity in the network until the DHCP snooping database is fully established again.

Part of the documentation refers to the database agent to store the 
binding database somewhere. What is the advantage of doing this? I know 
it says the switch will copy the database back from wherever its stored 
if it reboots, but won't it just rebuild the database anyway as the 
devices renew their IPs as the switch comes back up?

Well, that is true but it assumes that the stations actually discover the reload of the switch and initiate the DHCP renewal process as a result. Both assumptions may be wrong - the DHCP snooping may actually be activated on a switch farther from the stations, having yet another switch downstream onto which the individual stations are connected. The reload of your switch won't be noticed by the stations. And also, there may be situations when the station notices the link down/up transition but still won't, for whatever reasons, renew its DHCP lease. For all these situations, the storage of the DHCP database may be very useful.

If the stack master going down will cause a problem, will having the 
database agent allow the new master to read the database from somewhere,
 thus allieviating any problems?

I certainly believe so. The new master switch should sync its DHCP snooping database using the stored copy. After all, if you have two 3750 free to test, such an experiment should be very easy to make.

Best regards,

Peter

I had a chance to experiment with this today. I connected several devices to the second switch in a stack and essentially pulled the plug on the master causing the second switch to take over. I was very surprised when my DHCP Snooping and IP Source Guard tables were still intact. None of my devices lost connectivity or renewed their IP addresses. I'll perform some more tests to make sure, but it looks like this information is carried over when the master switch fails. Note, I was not using the DHCP Snooping database agent at the time.

Hello,

Wonderful! Thank you so much for sharing your experience! I, sadly, do not have a possibility of playing with 3750 stacks so in this case, I am left with my common sense - and with people willing to devote their time to make the experiments and share the results.

Thanks again!

Best regards,

Peter

Review Cisco Networking for a $25 gift card