DHCP Snooping:
DHCP snooping is a feature intended to prevent a malicious user from pretending to be the network DHCP server and thus intercepting DHCP packets.
Scenario where DHCP Snooping might be used:
This is where a rogue dhcp server is introduced on a network. Generally a host will accept the first ip-address for a DHCP 'Offer' packet it receives. If the rogue server sends it's ip information with the valid ip-address but a gateway of the rogue server, or even DNS address of the rogue server then it will be able to gather all traffic from the suceptible hosts.
By using a feature known as 'dhcp snooping' this form of attack can be prevented on switches.
(1) Trusted - An interface is trusted for DHCP traffic
(2) Untrusted - An interface is not trusted, unauthorized DHCP traffic will be dropped and port will enter err-disabled mode (all ports are placed into this by default when dhcp snooping is enabled)
Configuration:
Step 1 - Enable DHCP Snooping on the entire switch:
S4#conf t
S4(config)#ip dhcp snooping
Step 2 - Enable DHCP Snooping for a particular VLAN
S4(config)#ip dhcp snooping vlan 4
Step 3 - Ports can then be configured as trusted with the ip dhcp snooping trust command.
S4(config)#int fa0/1
S4(config-if)#ip dhcp snooping trust
For a better understanding on DHCP Snooping, I found an excellent tutorial by Chris Bryant:
http://www.mcmcse.com/cisco/guides/dhcp_snooping.shtml
No comments:
Post a Comment