Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2323
Views
0
Helpful
3
Replies

need advice on DHCP snooping on 3750 and 2960 switches

Difan Zhao
Level 5
Level 5

‎01-06-2011 04:44 PM - edited ‎03-06-2019 02:51 PM

Hi experts,

After two days straight lab I think I have figured out how DHCP snooping works. I'm about to implement it at the customer networks but before that I need advice from you guys:

1. How much impact it will have on the switch CPU and RAM? How many binding entries can 2960 or 3750 store in the RAM? I only use it to prevent rogue DHCP servers. I'm not using source verify/check.

2. It looks like if the DHCP request is from a trusted port then there won't be binding entry. Is that normal?

3. If you have two or more layers of switches, do you make only the uplink port the trusted port or you also make the downlink port the trusted port? The uplink is the port on the access switch going to the core. The downlink port is the port on the Core going down to the access switch. I can make all the trunk ports (uplink and downlink) trusted port and it will still prevent the rogue DHCP server. However, as in the question#2, I won't see all the bindings on the core because the requests are coming in on trusted ports... So if you have a way to enable binding even when the request is from a trusted port, then it will be perfect.

BTW we have DHCP server on every VLAN so we don't do relay.

Thanks,

Labels:
0 Helpful
3 Replies 3

Jayakrishna Mada
Cisco Employee
Cisco Employee

‎01-13-2011 12:21 AM

Hi,

1. How much impact it will have on the switch CPU and RAM? How many binding entries can 2960 or 3750 store in the RAM? I only use it to prevent rogue DHCP servers. I'm not using source verify/check.

[JK] CPU and RAM should not be overloaded that much with snooping. The only time the CPU will go high is that if you have lots of users requesting for DHCP address at the same time.

Upto 64k entires are allowed and each entry take about 74 bytes So approximately 15MB memory will be used for 64k entires.

2. It looks like if the DHCP request is from a trusted port then there won't be binding entry. Is that normal?

[JK] The switch should be creating an dhcp binding entry when it sees a DHCPACK packet coming from the trusted port. If you are seeing a client getting an IP from the dhcp server which is on a trusted port you should see a binding entry.

3.If you have two or more layers of switches, do you make only the uplink port the trusted port or you also make the downlink port the trusted port? The uplink is the port on the access switch going to the core. The downlink port is the port on the Core going down to the access switch. I can make all the trunk ports (uplink and downlink) trusted port and it will still prevent the rogue DHCP server. However, as in the question#2, I won't see all the bindings on the core because the requests are coming in on trusted ports... So if you have a way to enable binding even when the request is from a trusted port, then it will be perfect.

[JK] Trust is configured only on the uplink ports and not on the downlink ports. Are you enabling DHCP snooping on all the switches in the network or only on the access-layer switches ?

Hope that helps.

JayaKrishna

0 Helpful

Difan Zhao
Level 5
Level 5
In response to Jayakrishna Mada

‎01-13-2011 07:40 AM

Mada,

Thanks for the reply! Kind of suprised that how you manage to dig this post out lol

1. Got it!

2. Are you sure?? I tried again and I still don't see bindings on the trusted ports... I'm running newest 12.2(55) firmware on my 3750 switch.

3. Yes you are abolutely right however at some customer sites, due to lack of cabling, we have to daisy chain some access switches and also create a loop for redundancy so both the first and the last switch each has an uplink to Core. With SPT we make some VLAN traffic go through one path and the rest through another path. That's being said the Uplinks are Downlinks as well lol I too don't see that you can configure "trusted ports" per VLAN basis...

Anyway so my only concern is about question#2... Can you double check it for me?? My config is really simple:

ip dhcp snooping vlan 100,601,652-653
no ip dhcp snooping information option
ip dhcp snooping
interface

ip dhcp snooping trust
interface

ip dhcp snooping trust

Thank you!

Difan

0 Helpful

Jayakrishna Mada
Cisco Employee
Cisco Employee
In response to Difan Zhao

‎01-20-2011 03:18 PM

Hi Difan,

When you say dhcp request I am assuming a dhcp client requesting a dhcp address which is coming in on trusted port. In this case the switch may or may not form the binding depending up on whether its seeing the rest of dhcp packets especially (DHCP ACK). Since the server and the client are located towards the trusted port of the switch that you are on, this switch might not see the complete dhcp transactions.

Hope that helps.

JayaKrishna

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card