Tuesday, August 4, 2009

DHCP snooping

DHCP Snooping
This is where a "rouge" dhcp server is introduced into a network. Generally a host will accept the first ip address DHCPoffer packet that it receives. So if the rouge server sends it ip information with a valid address, but a gateway of the rouge server, or even dns address of the rouge server; it will be able to gather all traffic from the succeptable hosts. Switches have a means of protecting from this called DHCP snooping:
**Trusted- interface is trusted for dhcp traffic
**Untrusted- interface is not trusted, unauthorized DHCP traffic will be dropped, and port will enter err-disabled mode (all ports are placed into this by default when dhcp snooping is enabled)

(config)ip dhcp snooping
(config) ip dhcp snooping [vlan] [#]
(interface) ip dhcp snooping trust (trusts the interface)
(config) ip dhcp snooping information option (need to look this up...something with option 82)

Show ip dhcp snooping

No comments:

Post a Comment