Hi Reza.
I discovered some new information about dhcp snooping( atleast for me)
.
For messages received on trusted ports, no validation is performed. For messages received
on untrusted ports, the following steps are taken:
1DHCP messages normally exchanged from a DHCP server to a client are dropped.
These messages are DHCPOFFER, DHCPACK, and DHCPNAK.
2DHCP messages with a nonzero relay agent/gateway IP address (also called giaddr
field) or Option 82 data are dropped.
3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table
entries to prevent a host from releasing/declining addresses leased to another host.
4DHCPDISCOVER messages, where the source MAC address does not match the
client Hardware Address field, are dropped. This helps to mitigate the DHCP
exhaustion attack. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
================================================================
So a switch configured only with dhcp snooping not ip source guard/dynamic arp inspection performs following as well:
3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table
entries to prevent a host from releasing/declining addresses leased to another host.
4DHCPDISCOVER messages, where the source MAC address does not match the
client Hardware Address field, are dropped. This helps to mitigate the DHCP
exhaustion attack. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
How do we configure above mentioned " dhcp snooping mac address verification option " ?
========================================================================
I could not find a good link on option 82. The question I have:
what is option 82 and why do we need it ?
I understand what is option 82 but still at loss as to why we need it.
thanks
Message was edited by: Sarah
