DHCP Snooping
What is DHCP Snooping?
CCNP 300-115 Switch
– 2.0 Infrastructure Security
– – 2.1a DHCP Snooping
What is it? DHCP Snooping is a Layer 2 Security Feature.
What does it solve? Prevents Unauthorized/rogue servers.
How does it solve the problem? DHCP Snooping drops DHCP Traffic that is not acceptable on the ports.
Terminology and Operation:
- DHCP is designed to be configured on Access switches only.
- The untrusted ports connect to the clients.
- The Trusted Port leads to the DHCP Server. Requires Manual configuration of the Trusted port
- DHCP discover and DHCP request packets can only be forwarded out from the untrusted to the trusted ports which lead to the DHCP Server.
- DHCP Snooping creates a DHCP Snooping Binding Database.
The DHCP Snooping Database include the following information:
- Client MAC Address
- Client IP Address
- Lease Time
Client – Untrusted to Trusted Port allowed messages:
- DHCP Discover
- DHCP Request/Inform
- DHCP Decline
- DHCP Release
Server – Ingress from Trusted Ports allowed messages:
- DHCP Offer
- DHCP Ack
- DHCP NACK
- DHCP
So if a DHCP offer message was to go from a host that is connect to an untrusted port the packet would be dropped when it got to the switch.