cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
564
Views
0
Helpful
3
Replies

dhcp snooping

sarahr202
Level 5
Level 5

HI every body!

I was reading about DHCP snooping.

That is what my cisco book says:

" When dhcp snooping is enabled, switch ports are categorised as trusted or untrusted. Legitimate dhcp servers can be found on trusted ports,whereas all other hosts sit behind untrusted ports.

A switch intercepts all dhcp requests coming from untrusted ports before flooding them throughout the vlan. Any dhcp replies coming from untrusted port are discarded because they must come from a rogue dhcp server."

My questions are:

1)

why does switch have to intercept all dhcp requests coming from untrusted ports because only hosts sitting behind the untrusted ports send dhcp request, let say even we have one rogue dhcp behind untrusted port but it cannot send dhcp requests so what is the reason to intercept all dhcp request?

2)

let say we have two dhcp server s1 and s2 and host on same same subnet. s2 is rogue dhcp server.

s1 is connected by f0/1 to switch ( trusted port)

s2 is connectedto f0/2 to switch ( untrusted port)

host is connected by f0/3 to switch.(untrusted port)

host sends dhcp request at broadcast address, will switch forward this broadcast on trusted port(f0/2) connected to rogue dhcp server s2?

Thanks a lot!

1 Accepted Solution

Accepted Solutions

if you want either of those features to be truely dynamic then yeah you need DHCP snooping enabled. There are other more static methods of using dynamic arp inspection and IPSG.

Some switches provide a way to define an ARP ACL for valid ARP replies (which is what DAI does, block invalid ARP replies).

So DCHP snooping is not necessary but 9 times out 10 you will see DCHP snooping / IPSG / DAI all enabled on the switchports for security.

View solution in original post

3 Replies 3

Elly Bornstein
Cisco Employee
Cisco Employee

1) DHCP snooping is also used for other features like: dynamic ARP inspection and IP source guard.

It will need to look at the requests on untrusted interfaces (clients) to keep a database of dhcp snooping bindings so they can be used for the above 2 other security features.

Rogue DHCP server protection is provided by only allowing DHCP OFFER packets through a trusted interface.

2) Yes the DHCP request will still go to the rogue server, but its OFFER it sends back to the client will be dropped.

Thanks a lot Ebornste!

That means in order to for Dynamic ARP inspection and ip source guard to work, dhcp snooping must be configured. Correct?

if you want either of those features to be truely dynamic then yeah you need DHCP snooping enabled. There are other more static methods of using dynamic arp inspection and IPSG.

Some switches provide a way to define an ARP ACL for valid ARP replies (which is what DAI does, block invalid ARP replies).

So DCHP snooping is not necessary but 9 times out 10 you will see DCHP snooping / IPSG / DAI all enabled on the switchports for security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco