HI every body!
I was reading about DHCP snooping.
That is what my cisco book says:
" When dhcp snooping is enabled, switch ports are categorised as trusted or untrusted. Legitimate dhcp servers can be found on trusted ports,whereas all other hosts sit behind untrusted ports.
A switch intercepts all dhcp requests coming from untrusted ports before flooding them throughout the vlan. Any dhcp replies coming from untrusted port are discarded because they must come from a rogue dhcp server."
My questions are:
why does switch have to intercept all dhcp requests coming from untrusted ports because only hosts sitting behind the untrusted ports send dhcp request, let say even we have one rogue dhcp behind untrusted port but it cannot send dhcp requests so what is the reason to intercept all dhcp request?
let say we have two dhcp server s1 and s2 and host on same same subnet. s2 is rogue dhcp server.
s1 is connected by f0/1 to switch ( trusted port)
s2 is connectedto f0/2 to switch ( untrusted port)
host is connected by f0/3 to switch.(untrusted port)
host sends dhcp request at broadcast address, will switch forward this broadcast on trusted port(f0/2) connected to rogue dhcp server s2?
Thanks a lot!
if you want either of those features to be truely dynamic then yeah you need DHCP snooping enabled. There are other more static methods of using dynamic arp inspection and IPSG.
Some switches provide a way to define an ARP ACL for valid ARP replies (which is what DAI does, block invalid ARP replies).
So DCHP snooping is not necessary but 9 times out 10 you will see DCHP snooping / IPSG / DAI all enabled on the switchports for security.