[c-nsp] DHCP snooping and DAI

Claes Jansson claes at gastabud.com
Mon Sep 15 02:37:30 EDT 2008


Hello!

Can't other than agree with you that the 3550 + arp-inspection fails completely :-) But i have been running dhcp-snooping + dai on 3750 for quite some time now, and it works just great! Even better if you add the "ip verify source port-security" on each user interface aswell (eliminating mac-spoofing and loopback problems)... Just be sure to verify the setup so you have option82 running through the network.

AFAIK, the switch does not constantly poll the "url database source". It syncronizes the database, writing changes to the database on certain intervals. And the database on the switch is kept only in RAM. If the switch looses communication with the server it will continue to use the in-memory database, until it is connected again. Then it will download the database from the source and syncronize it with the memory-version. What could be a problem is if you reload a switch and your clients have very long dhcp-leases, and the database source is not available. Clients will loose contact until they renew their dhcp-leases.


c3750-001#sh ip dhcp snooping database 
Agent URL : ftp://user:pass@10.1.1.111/c3750-001.db
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

best regards.

        //Claes Jansson



>Hello,
>
>I have been researching defenses against so-called 'man-in-the-middle'
>attacks at layer 2. We tried this around three years ago with 3550-48 smi
>image using dhcp snooping and dynamic arp inspection. After a time the
>switch stopped passing dhcp requests. This was in production, (though
>thankfully on only one switch) so we didn't have time to troubleshoot the
>precise nature of the problem, and gave up on the feature as being 'not
>ready for prime-time.'
>
>Since that time, Cisco seems to have changed the approach slightly.
>
>Cisco documentation regarding the dhcp database states :
>"Because both NVRAM and the flash memory have limited storage capacities, we
>recommend that you store a binding file on a TFTP server. You must create an
>empty file at the configured URL on network-based URLs (such as TFTP and
>FTP) before the switch can first write bindings to the binding file at that
>URL."
>
>AhhHaaa, I had suspected that the switch ran out of memory.
>
>Now we would like to try it again. Our network is pretty standard, 6500's at
>core, 4500 distribution and we will upgrade to either 3560's or 3750's at
>the edge (around 200 edge switches.) I would appreciate hearing from anyone
>who has used these features. My concerns to start out with are:
>
>   1.
>
>   What will happen if the switch loses communication with the database
>   server for some reason? Will the switch stop passing traffic entirely?
>   2.
>
>   How much traffic will the checking generate? Is the switch going to reach
>   out to the database for each flow? If not, how does the switch use the
>   databas
>   I am sure there are many more questions and concerns, I simply don't know
>   what I don't know :-)
>
>Thanks,
>dennis
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list