Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
1
Replies

Facebook Forum - Catalyst Security (DHCP Snooping, DAI, IP source guard)

ciscomoderator
Community Manager
Community Manager

‎07-09-2012 01:35 PM - edited ‎03-07-2019 07:41 AM

Live chat with Cisco expert, Judhajit Ghosh on Catalyst Security (DHCP Snooping, DAI, IP source guard)

June 19th, 2012


Here's an opportunity to make your Network secure by learning about Catalyst Security - DHCP Snooping, DAI, IP source guard. DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages.Facebook_Forum_Template_040_2.png

It is designed to keep networks safe from rogue DHCP servers, thus preventing from any security threat in a DHCP environment

Dynamic ARP inspection is a feature that ensures that only valid ARP requests and replies are relayed.

IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic

based on the DHCP snooping binding database and on manually configured IP source bindings.


Our expert, Judhajit is an engineer at Cisco who specializes in LAN Switching and has certifications in CCNA and CCNP(BCMSN).

Date: June 19

6:00 AM EDT (New York; UTC -5 hrs)

8:00 PM EST (Sydney; UTC +10 hrs)

12:00 PM CEST (Berlin; UTC +1 hr)

3:30 PM IST (India; UTC +5 hrs)

To RSVP Click Here

What is Facebook Forum?

Facebook forums are online conversations, held at a ore-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

How do I participate?

On the day of the event, go to our Facebook page http://www.facebook.com/CiscoSupportCommunity

Like us on Facebook 

Labels:
0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎07-09-2012 02:58 PM

Summary of the live Facebook forum on Catalyst Security (DHCP Snooping, DAI, IP source guard)

Cisco Online Support Community

We have our first question .....Are these 3, DHCP Snooping, DAI, IPSG related anyway?

Judhajit Ghosh

Glad that you asked.The answer is yes. All these three are layer 2 security features and is interrelated. For

example, the Dynamic Arp inspection will inspect and validate ARP packets based on the DHCP Snooping binding table. DAI will discard ARP packets with invalid IP-to-MAC address bindings, and will generate a log message in the switch.

Some intoduction to these:

DHCP snooping is a feature that provides network security by filtering untrusted DHCP messages.

It is designed to keep networks safe from rogue DHCP servers, thus preventing from any security threat in a DHCP environment

Dynamic ARP inspection is a feature that ensures that only valid ARP requests and replies are relayed

IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic

based on the DHCP snooping binding database and on manually configured IP source bindings.

Cisco Online Support Community

Judhajit here comes the second question from another user - What is the ARP packet rate limiting in this context?

Judhajit Ghosh

The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces. One has to realize, that

there is a 15 pps limit for ARP on any DAI untrusted interface, which if exceeded will move the port to err-disable...... Then We can use the command of: "errdisable recovery cause arp-inspection interval 30" to have a port automatically recover after 30 seconds when this occurs.... Hope that answers the question...

Cisco Online Support Community

Is IP Source guard supported on 6500 switches?

Judhajit Ghosh

Glad that you asked. Yes, they are, but with limitations. IP source guard is supported on PFC 3 or later versions

with Release 12.2(33)SXH and later releases.

Tejbir Batth

In Dhcp snooping...will the snooping database be only on the switches where host are connected or would it be also be seen on intermediate switches through which requests passed....

Judhajit Ghosh

The snooping database/ binding table will be formed on the switch which is directly connected to the hosts....provided that snooping is enabled.... :-D..... hope that clarifies

Cisco Online Support Community

Can I find the rouge DHCP server after enabling these features?

Judhajit Ghosh

No. These features are there to prevent the rouge machines becoming the DHCP server. So, you need to know where your legitimate DHCP server is and trust only the path towards it.

Cisco Online Support Community

Is there any limitation of the binding table?

Judhajit Ghosh

The DHCP snooping database/ binding table stores max. 8,000 bindings

Cisco Online Support Community

My DHCP is working but not DHCP snooping. What are the things I can check?

Judhajit Ghosh

Good question. Here are some checks you can do..

>Have you have enabled the DHCP snooping globally

>Have you enabled the DHCP snooping for the concerned Vlans

>You have trusted the correct interfaces

The above will be three basic checks you can do. All of the above information can be found from one command output (show ip dhcp snooping)

There are other debugs as well, like "debug ip dhcp snooping packets/events" which might give you additional

information, but any debug command has to be handled carefully as the same might be CPU intensive...

Cisco Online Support Community

Will all CAT6K and CAT4K device support these features?

Judhajit Ghosh

As far as I remember, All will, except cat4000 running CATOS. Cat4000 Sup 1 & 2 only support CatOS, while any

greater Sup engine like Sup 2+, 3, 4, 5 will support IOS. Adding to that, any XL switch does not support these  features.

Cisco Online Support Community

We have a user asking this question.......Could you please tell me about database agent?

Judhajit Ghosh

The database agent is for the safety of the binding table......Because other features use the DHCP Snooping

Database, it is a good idea to offload it to a remote server on your network. This allows the database to be

recovered after a power failure. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well. The database agent stores the bindings in a file at a configured location.

To enable the Database Agent:

ip dhcp snooping database {ftp:// | tftp:// | rcp:// | flash: | http://}

Judhajit Ghosh

For a detailed understanding of these features on 6500 platform you can refer the following link:-

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/dhcp_snooping.html

the feature and the commands remains more or less the same on all platforms....

For more questions and answers on this topic, please visit the live forum at

https://supportforums.cisco.com/thread/2155254

To visit the actual forum that took place on Facebook visit here:

https://www.facebook.com/CiscoSupportCommunity/posts/276354552463649

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card