DHCP Snooping

Unanswered Question
Aug 24th, 2014
User Badges:

Hello again,

i have some confusions with Dhcp snooping and it's mechanism how it works. let assume below this diagram, i have a dhcp server it connected to distribution switch and one client is directly connected to the switch.

How the dhcp snooper will authenticate all users in one vlan, what i not understand is if we already enabled dhcp snooping and trust. how the switch will know all pcs connected to the switch is trusted pc and what if i have new pc connected to switch and how will it authenticate to the new users.

 

What i understand is ....

if i have 150 users in one vlan , once i enable dhcp snoop, the service will start collecting all ip address currently which is directly connected to the switch Right ?

if we have new users we can bind them manually ? 

how the switch authenticate  the dhcp link (Dhcp snooping trust)which is directly connected to dhcp server.

Thanks

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Emmanouil Patin... Sun, 08/24/2014 - 01:35
User Badges:

Hello, 

 

regarding the scenario depicted you have to make the fa 0/1 ip dhcp snooping trust.All the other links are assumed as untrust. The dhcp snooping has nothing to do with authenticating users and permit specific IPs that has its in binding table. If you want this you should enable the ip source feature. The dhcp snooping simply not permit DHCP offers messages from untrusted ports so that it eliminates the possibility for a rogue DHCP server in your network. In addition to that it saves the bindings done through the DHCP offer messages it sees. This has no meaning if you do not enable the ip source feaure (except you know the IP addresses given in each port/pc. The switch do not authenticate the messages based on this binding table. For example if there is a PC on switch port gi 0/5 that has been assigned the IP 1.1.1.1/24 and you then connect another pc with a static IP of 1.1.1.10/24, this PC will communicate and have access  normally.

 

Now, if your clients have already connected and assigned IP addresses and then you enable the ip dhcp snooping feature then the snooping binding table will start populated when clients re-ask dhcp server for IP address. Keep in mind that DHCP Snooping feuture do not inspect actual packet but only DHCP packets. 

 

I hope I helped.

Actions

This Discussion