dhcp snooping

Answered Question
Jan 29th, 2009

HI every body!

I was reading about DHCP snooping.

That is what my cisco book says:

" When dhcp snooping is enabled, switch ports are categorised as trusted or untrusted. Legitimate dhcp servers can be found on trusted ports,whereas all other hosts sit behind untrusted ports.

A switch intercepts all dhcp requests coming from untrusted ports before flooding them throughout the vlan. Any dhcp replies coming from untrusted port are discarded because they must come from a rogue dhcp server."

My questions are:

1)

why does switch have to intercept all dhcp requests coming from untrusted ports because only hosts sitting behind the untrusted ports send dhcp request, let say even we have one rogue dhcp behind untrusted port but it cannot send dhcp requests so what is the reason to intercept all dhcp request?

2)

let say we have two dhcp server s1 and s2 and host on same same subnet. s2 is rogue dhcp server.

s1 is connected by f0/1 to switch ( trusted port)

s2 is connectedto f0/2 to switch ( untrusted port)

host is connected by f0/3 to switch.(untrusted port)

host sends dhcp request at broadcast address, will switch forward this broadcast on trusted port(f0/2) connected to rogue dhcp server s2?

Thanks a lot!

I have this problem too.
0 votes
Correct Answer by Elly Bornstein about 7 years 10 months ago

if you want either of those features to be truely dynamic then yeah you need DHCP snooping enabled. There are other more static methods of using dynamic arp inspection and IPSG.

Some switches provide a way to define an ARP ACL for valid ARP replies (which is what DAI does, block invalid ARP replies).

So DCHP snooping is not necessary but 9 times out 10 you will see DCHP snooping / IPSG / DAI all enabled on the switchports for security.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Elly Bornstein Thu, 01/29/2009 - 18:03

1) DHCP snooping is also used for other features like: dynamic ARP inspection and IP source guard.

It will need to look at the requests on untrusted interfaces (clients) to keep a database of dhcp snooping bindings so they can be used for the above 2 other security features.

Rogue DHCP server protection is provided by only allowing DHCP OFFER packets through a trusted interface.

2) Yes the DHCP request will still go to the rogue server, but its OFFER it sends back to the client will be dropped.

sarahr202 Thu, 01/29/2009 - 20:11

Thanks a lot Ebornste!

That means in order to for Dynamic ARP inspection and ip source guard to work, dhcp snooping must be configured. Correct?

Correct Answer
Elly Bornstein Fri, 01/30/2009 - 10:30

if you want either of those features to be truely dynamic then yeah you need DHCP snooping enabled. There are other more static methods of using dynamic arp inspection and IPSG.

Some switches provide a way to define an ARP ACL for valid ARP replies (which is what DAI does, block invalid ARP replies).

So DCHP snooping is not necessary but 9 times out 10 you will see DCHP snooping / IPSG / DAI all enabled on the switchports for security.

Actions

This Discussion