Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
5
Helpful
2
Replies

How to solve roaming issue by using DHCP snooping and IPSG on distribution switch?

Go to solution
zexinfinite
Level 1
Level 1

‎09-05-2017 09:22 AM - edited ‎03-08-2019 11:56 AM

Hi all,

 

I've applied DHCP snooping and IPSG on distribution switch, and I met some roaming issue when user use same IP address between difference access switch, then IPSG will define the IP address was illegal due to comming from difference access switch.

 

May I know how to solve this roaming issue with DHCP snooping and IPSG?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-05-2017 11:02 AM

Hello,

I am afraid there is no quick solution to this. DHCP Snooping, and all mechanisms on top of it (Dynamic ARP Inspection, IP Source Guard) are intended to be used on access layer switches, not up on the distribution or core layer. Once the access to the network has been sanitized right at the first access switch that directly connects to the client, there is no need to run these mechanisms on the distribution or core layer in the network. Also note that running these mechanisms on a distribution switch rather than the access switches diminishes their effectivity, as the traffic that enters the access switches and can go out through another ports on the same access switches is not protected at all, and the users there can still wreak havoc with DHCP, ARP, or IP address stealing.

I am sorry to come with a "not possible" type of answer, but ultimately, we have to respect that all these protection mechanisms were designed to protect the network access edge by being applied to access layer switches; trying to apply them on a different layer of switches is stretching their applicability to areas where they were never designed to work.

Best regards,
Peter

View solution in original post

2 Replies 2

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-05-2017 11:02 AM

Hello,

I am afraid there is no quick solution to this. DHCP Snooping, and all mechanisms on top of it (Dynamic ARP Inspection, IP Source Guard) are intended to be used on access layer switches, not up on the distribution or core layer. Once the access to the network has been sanitized right at the first access switch that directly connects to the client, there is no need to run these mechanisms on the distribution or core layer in the network. Also note that running these mechanisms on a distribution switch rather than the access switches diminishes their effectivity, as the traffic that enters the access switches and can go out through another ports on the same access switches is not protected at all, and the users there can still wreak havoc with DHCP, ARP, or IP address stealing.

I am sorry to come with a "not possible" type of answer, but ultimately, we have to respect that all these protection mechanisms were designed to protect the network access edge by being applied to access layer switches; trying to apply them on a different layer of switches is stretching their applicability to areas where they were never designed to work.

Best regards,
Peter

Go to solution
Austin Sabio
Level 4
Level 4

‎09-06-2017 02:00 PM

I think the answer is to find a centralized system that has the ability to make such intelligent decision in regards to dhcp snooping -shared or local- database for the entire network --- Thinking about ISE and dhcp snooping tracking feature - not sure if it's possible. 

 

-Austin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card