Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
4
Replies

What happens to dhcp binding database if renumbering a switch?

keithsauer507
Level 5
Level 5

‎01-08-2018 06:21 AM - edited ‎03-08-2019 01:20 PM

Hello all,

Would like to implement dhcp snooping and arp inspection to prevent L2 attacks.

So we can enable dhcp snooping for a week to build the binding table into a file in flash, then enable the arp inspection a week later once the table is populated.

 

My question is what happens if a switch stack is renumbered.  Say you remove one or two switches from a stack, and issue the command to renumber the stack?  I'm pretty sure the command is supposed to properly move your port configurations, however with the dhcp snooping database as a text file in the flash: (to survive a power cycle), I don't think it would really be smart enough to look into the file?

 

Example if switch 2 is removed and you renumber the stack so switch 3 is now switch 2, that invalates the table because what it thought was in Gi3/0/1 is now actually in Gi2/0/1 due to the renumbering.

So my guess is you would turn off arp inspection after the renumbering and wait another week and allow the ports to rebuild.  Also carefully and manually altering any static bindings created (ip source binding aaaa.bbbb.cccc.dddd vlan # ipaddress interface GiX/X/X)

 

Let me know your thoughts. 

Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎01-08-2018 09:38 AM

Hello

I envisage you would do this out of business hours anyway as a renumbering Within a stack I think requires a reload?

 

As such if the snooping dB isn’t saved it would be flushed anyway on that reload and until the clients request dhcp addressing again and snooping dB is populated 

 

res

paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

keithsauer507
Level 5
Level 5
In response to paul driver

‎01-08-2018 09:52 AM - edited ‎01-08-2018 09:53 AM

Right it would be after hours.

 

However the db is configured to write to flash, with this line:

 

ip dhcp snooping database flash:ptn-access-3fl-dhcpdb

 

so if you sh flash: the file is there and if you do a more flash:ptn-access-3fl-dhcpdb it writes it out to the terminal for your viewing pleasure.

 

I guess if the switch renumbering does not address this file, one could TFTP it off, edit in your favorite text editor, then TFTP it back.

Anyone ever try it?

 

I guess the alternative is to turn off ip arp inspection for another week until the dhcp database updates naturally.  

0 Helpful

paul driver
VIP
VIP
In response to keithsauer507

‎01-08-2018 12:42 PM

Hello

You could also drop the lease timing on the dhcp scopes and state another another snooping D/B  and let that get built up/populated as each dhcp client renews its addressing.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

keithsauer507
Level 5
Level 5
In response to paul driver

‎02-02-2018 10:00 AM

Just wanted to share that we did renumber a stack after hours.  

 

There is an issue renumbering a stack and I was able to recreate it on some spare 3750 switches.  When you renumber a stack, you will LOOSE all port configuration.  At next reload it attempts to do it, but even on the latest 12.2(55)SE12 it fails miserably.

 

So get your Notepad++ out and your most up to date config, and get handy with the find and replace.  

 

Here is some sample output of a switch after its reloaded and renumbered in my test lab.  In this test I had a switch by itself that was numbered switch 2.  I did a switch 2 renumber 1, confirmed it, wrote mem and did a reload.

 

Now for our big switch stack I saw this for 5 switches deep (past switch 1), so we had to do some find and replace in notepad++ and paste the corrected interface configs a little bit at a time.  If you try to paste too much, Putty can't keep up with the 9600 baud serial cable, so just be careful, and patient.  Do the uplinks last so any live devices don't DHCP and obtain addresses in the wrong vlan.  You also should default the interface range for the switch you are coming from.  For example if switch 7 is now switch 4, default 7/0/1 through 7/0/48 and 7/1/1 through 7/1/4 (ge or te, whatever you have), then paste your now corrected config form switch 7 with the interface numbers as 4.  This way you won't clash on things like the same mac address in port security mac sticky on more than one port.  When complete you can issue the no provision switch x command to remove whatever switches you eliminated from the stack.

 

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750V2-48TS 12.2(55)SE12 C3750-IPSERVICESK9-M

%Command rejected: switch 1 (ws-c3750v2-48ts) already present in the stack

interface GigabitEthernet1/0/5
^
% Invalid input detected at '^' marker.

description IT Printer rpt_170
^
% Invalid input detected at '^' marker.

switchport access vlan 7
^
% Invalid input detected at '^' marker.

switchport mode access
^
% Invalid input detected at '^' marker.

ip access-group acl1 in
^
% Invalid input detected at '^' marker.

 

 

 

So as you can see, Cisco's script is useless and does not do any error handling.  So be prepared to do all the work yourself.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card