Alan Buxey <[email protected]> wrote:
> 
> havent noticed any issues with having DHCP snooping enabled - 
> performance wise the access layer seemed to be the same with or 
> without it (its very quick and easy for these switches to see 
> particular bits of packets).
>
We have been using it for at least three years with no noticable 
performance problems on our ~80 C3750's (~25 stacks) at the access 
layer.

Two gotchas:
 * 'ip dhcp snooping database flash:dhcp-snoop.db', so that if the 
        switch reboots all the clients do not get locked out
 * do not encourage your MS Windows hosts to do a DHCPRELEASE[1] (by 
        default it does not, I got stun for being 'clever').  It is 
        helpful that a lease continues after the workstation shuts down 
        and powers up say the following day.  At my workplace, for 
        central London you would have expected a non-third world mains 
        supply but that's probably just Estates, staff generally 
        shutdown workstation at night...power failure occurs 
        taking out the DHCP server (failover fails too), workstation 
        turns on...switch refuses to let them on as the workstation has 
        not got a valid lease.  If the lease is not released, then the 
        workstation is permitted to continue using it after a reboot 
        and the Windows DHCP client seems to try to use the old one if 
        it is still valid.

We cover all our VLAN's (the DHCP enabled ones), our 'template' edge 
configuration looks like (includes MAC-auth/802.1X VLAN assignment):

http://www.digriz.org.uk/lanwarden

Remember on your uplinks:
----
int Po1
 [snipped]
 ip arp inspection trust
 ip dhcp snooping trust
----

Cisco also have a very good presentation[2] on this.

Cheers

[1] http://msdn.microsoft.com/en-us/library/cc227278(v=prot.10).aspx
[2] 
http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf

-- 
Alexander Clouter
.sigmonster says: Thufir's a Harkonnen now.

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to