Free Guides
Language Tutorials
CCNP - BCMSN ( 642-812 )
DHCP Snooping
An
important part of passing the Cisco CCNP BCMSN exam and protecting
your network from intruders is to recognize that even everyday
protocols and services can work against us once that intruder is in
our network.
It may be hard to believe, but something as innocent as DHCP can
actually lead to trouble for your network. When a host sends out a
DHCPDiscovery packet, it listens for DHCPOffer packets - and accepts
the first Offer it gets!
Part of that DHCPOffer is the address to which the host should set
its default gateway. What if a DHCP server that does not belong on
our network - a rogue DHCP server - is placed on that subnet?
If that host uses the DHCPOffer from the rogue server, the host
could end up using the rogue server as its default gateway or DNS
server!
We can prevent this with DHCP Snooping. DHCP Snooping classifies
interfaces as either trusted or untrusted.
DHCP messages received on trusted interfaces will be permitted to
pass through the switch, but DHCP messages received on untrusted
interface result in the interface itself being placed into
err-disabled state.
By default, the switch considers all ports untrusted - which means
we better remember to configure the switch to trust some ports when
we enable DHCP Snooping!
First, we need to enable DHCP Snooping on the entire switch:
SW1(config)#ip dhcp snooping
To enable DHCP Snooping for a particular VLAN, use the ip dhcp
snooping command.
SW1(config)#ip dhcp snooping vlan 4
Ports can then be configured as trusted with the ip dhcp snooping
trust command.
SW1(config-if)#ip dhcp snooping trust
There are other options available with DHCP Snooping, and we'll look
at some of those in a future tutorial. DHCP Snooping is an important
topic for your CCNP BCMSN exam, and it's just as important in
real-world networks!