[c-nsp] Performace - IP DHCP Snooping

Alexander Clouter alex at digriz.org.uk
Sun Aug 14 06:56:59 EDT 2011


Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
> havent noticed any issues with having DHCP snooping enabled - 
> performance wise the access layer seemed to be the same with or 
> without it (its very quick and easy for these switches to see 
> particular bits of packets).
>
We have been using it for at least three years with no noticable 
performance problems on our ~80 C3750's (~25 stacks) at the access 
layer.

Two gotchas:
 * 'ip dhcp snooping database flash:dhcp-snoop.db', so that if the 
	switch reboots all the clients do not get locked out
 * do not encourage your MS Windows hosts to do a DHCPRELEASE[1] (by 
	default it does not, I got stun for being 'clever').  It is 
	helpful that a lease continues after the workstation shuts down 
	and powers up say the following day.  At my workplace, for 
	central London you would have expected a non-third world mains 
	supply but that's probably just Estates, staff generally 
	shutdown workstation at night...power failure occurs 
	taking out the DHCP server (failover fails too), workstation 
	turns on...switch refuses to let them on as the workstation has 
	not got a valid lease.  If the lease is not released, then the 
	workstation is permitted to continue using it after a reboot 
	and the Windows DHCP client seems to try to use the old one if 
	it is still valid.

We cover all our VLAN's (the DHCP enabled ones), our 'template' edge 
configuration looks like (includes MAC-auth/802.1X VLAN assignment):

http://www.digriz.org.uk/lanwarden

Remember on your uplinks:
----
int Po1
 [snipped]
 ip arp inspection trust
 ip dhcp snooping trust
----

Cisco also have a very good presentation[2] on this.

Cheers

[1] http://msdn.microsoft.com/en-us/library/cc227278(v=prot.10).aspx
[2] http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf

-- 
Alexander Clouter
.sigmonster says: Thufir's a Harkonnen now.



More information about the cisco-nsp mailing list