Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help understanding DHCP Snooping and Dynamic ARP Inspection

Please help me to understand DHCP Snooping and Dynamic ARP Inspection.

3 REPLIES
VIP Purple

Re: Help understanding DHCP Snooping and Dynamic ARP Inspection

HI Ezra,

In simple words:

DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.

dhcp-snooping1.jpg

In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.

When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.

To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.

DAI:

Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html

More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.

Hope it helps.

Regards

Please use rating system and mark athe question answered it may help others.

New Member

Help understanding DHCP Snooping and Dynamic ARP Inspection

Thanks Sandeep for the clarification...

  Attached PDF file is not having complete view and boders are not viewable. Can i get the compelte document?

  Regards,

VIP Purple

Re: Help understanding DHCP Snooping and Dynamic ARP Inspection

Hi,
I don't hv word version of this I think u canderstand with this document ... Only the left side one word is not completely visible.

Hope it helps

Regards
Don't forget to rate helpful post.

If u are satisfied with the answer then mark this question as answered.

Sent from Cisco Technical Support iPhone App

179
Views
0
Helpful
3
Replies
CreatePlease to create content