[c-nsp] Performace - IP DHCP Snooping
Alexander Clouter
alex at digriz.org.uk
Sun Aug 14 06:56:59 EDT 2011
Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> havent noticed any issues with having DHCP snooping enabled -
> performance wise the access layer seemed to be the same with or
> without it (its very quick and easy for these switches to see
> particular bits of packets).
>
We have been using it for at least three years with no noticable
performance problems on our ~80 C3750's (~25 stacks) at the access
layer.
Two gotchas:
* 'ip dhcp snooping database flash:dhcp-snoop.db', so that if the
switch reboots all the clients do not get locked out
* do not encourage your MS Windows hosts to do a DHCPRELEASE[1] (by
default it does not, I got stun for being 'clever'). It is
helpful that a lease continues after the workstation shuts down
and powers up say the following day. At my workplace, for
central London you would have expected a non-third world mains
supply but that's probably just Estates, staff generally
shutdown workstation at night...power failure occurs
taking out the DHCP server (failover fails too), workstation
turns on...switch refuses to let them on as the workstation has
not got a valid lease. If the lease is not released, then the
workstation is permitted to continue using it after a reboot
and the Windows DHCP client seems to try to use the old one if
it is still valid.
We cover all our VLAN's (the DHCP enabled ones), our 'template' edge
configuration looks like (includes MAC-auth/802.1X VLAN assignment):
http://www.digriz.org.uk/lanwarden
Remember on your uplinks:
----
int Po1
[snipped]
ip arp inspection trust
ip dhcp snooping trust
----
Cisco also have a very good presentation[2] on this.
Cheers
[1] http://msdn.microsoft.com/en-us/library/cc227278(v=prot.10).aspx
[2] http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf
--
Alexander Clouter
.sigmonster says: Thufir's a Harkonnen now.
More information about the cisco-nsp
mailing list