[c-nsp] DHCP snooping and DAI

dog bone dogbohn at gmail.com
Sat Sep 13 09:40:29 EDT 2008


Hello,

I have been researching defenses against so-called 'man-in-the-middle'
attacks at layer 2. We tried this around three years ago with 3550-48 smi
image using dhcp snooping and dynamic arp inspection. After a time the
switch stopped passing dhcp requests. This was in production, (though
thankfully on only one switch) so we didn't have time to troubleshoot the
precise nature of the problem, and gave up on the feature as being 'not
ready for prime-time.'

Since that time, Cisco seems to have changed the approach slightly.

Cisco documentation regarding the dhcp database states :
"Because both NVRAM and the flash memory have limited storage capacities, we
recommend that you store a binding file on a TFTP server. You must create an
empty file at the configured URL on network-based URLs (such as TFTP and
FTP) before the switch can first write bindings to the binding file at that
URL."

AhhHaaa, I had suspected that the switch ran out of memory.

Now we would like to try it again. Our network is pretty standard, 6500's at
core, 4500 distribution and we will upgrade to either 3560's or 3750's at
the edge (around 200 edge switches.) I would appreciate hearing from anyone
who has used these features. My concerns to start out with are:

   1.

   What will happen if the switch loses communication with the database
   server for some reason? Will the switch stop passing traffic entirely?
   2.

   How much traffic will the checking generate? Is the switch going to reach
   out to the database for each flow? If not, how does the switch use the
   databas
   I am sure there are many more questions and concerns, I simply don't know
   what I don't know :-)

Thanks,
dennis


More information about the cisco-nsp mailing list