Questions about DHCP snooping

sergeymolchanov · ‎04-20-2016

Hello!

There are some questions about ip dhcp snooping:

1) limit-rate option. If I understand correctly, this option good for access user ports, which are untrusted. In cisco article http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sg/configuration/guide/conf/dhcp.html is printed: "The recommended rate limit for each untrusted client is 15 packets per second". If to access untrusted port connects PC via IP phone, I should double this rate (30)?

What is best practice for this setting? which rate on access user ports? On trunk ports?

2) agent database. Are these option really needed? In the internet articles people not configures this option when configure snooping. Describe of this option is: lower CPU utilization; If switch crashes or reloads, all entries / lease info lost. Share you experience of expediency setup this option

3) Action when limit-rate average - shutdown port with err-disable status. It's OK.

Action when snooping detects DHCP reply on untrusted port. If I understand correctly, there is no choose action (shutdown port or drop packet)?

dukenuk96 · ‎04-22-2016

Hi

1. DHCP process finishes in 4 packets - Discover -> Offer -> Request -> Acknowledge. So even if you have PC + IP Phone, 15 packets per second is more than enough, actually 8 pps would be enough - 4 for PC and 4 for IP Phone.
I would not configure this on trunk ports used for switches/routers interconnection, also they should already be set as trusted. There is one scenario with trunk ports when you should pas attention to this setting - when trunk port goes to server with some virtualization solution - here you you should take into cinsideration amount of vitrual machines on the server and growth capability.

2. We do not use any switches/routers as DHCP servers and also do not store agent database - all DHCP leases are kept on separate redundant servers, so when switches/routers reload, nothing is lost.

3. Action when snooping detects DHCP reply on untrusted port - such settings depends on specific hardware and software, you should check it in documentation.

sergeymolchanov · ‎04-23-2016

Thank's for answer, but something addtion:

1) If I understand correctly, rate-limit function counts only received (incoming from client) packets on the port, describe of this option: "Configure the number of DHCP packets per second that an interface can receive", so there is packets as DHCP DISCOVER, DHCP REQUEST.

If Snooping is enabled for vlan 5 (users) and vlan 6 (voice) for example, and PC (vlan 5) connect through IP phone (vlan 6) to single access port of switch, does function rate-limit 15 packets counts packets based on access port, or based on access port but per-vlan? In other words there are 15 packets for each connected device (PC and IP phone), or for PC and IP phone together?

2) There is ip hdcp snooping database, not ip dhcp binding database, thats stores on Cisco's DHCP servers. From Cisco manual: "To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks."