DHCP snooping is a feature on cisco switches to prevent possible attacks from unauthorized users. The attack can be made when a client asks for a IP by sending a DHCP request. The attacker can exploit the client with giving them a fake DHCP offer and the client will simply accept it, if this offers comes first before the real trusted DHCP server accepts them (since clients accepts the first DHCP offer that comes in).
By applying DCHP Snooping, this problem can be avoided since the switch will examine the port of incoming DCHP offers. It will then determine whether the port is considered in the "trusted" category or "untrusted" category. If it is trusted, the DHCP offer will be sent to the client. If it is untrusted, the DHCP offer will be blocked, evenmore the port will be set into err-disabled mode. One important thing to remember is that by default, the switch assumes all ports untrusted, so make sure to configure trusted ports on the switch if applying DHCP snooping on the switch.
To configure dhcp snooping enter the command below:
(config)#ip dhcp snooping vlan
Then configure the port of the trusted DHCP server:
(config)#int fa
(config)#ip dhcp snooping trust // trust the port for sending dhcp offers. There are also other option such as limit and vlan
To add the DHCP option82 relay agent information put:
(config)#ip dhcp snooping information option
Finally, to show dhcp snooping information the command "#show ip dhcp snooping" can be used.
By applying DCHP Snooping, this problem can be avoided since the switch will examine the port of incoming DCHP offers. It will then determine whether the port is considered in the "trusted" category or "untrusted" category. If it is trusted, the DHCP offer will be sent to the client. If it is untrusted, the DHCP offer will be blocked, evenmore the port will be set into err-disabled mode. One important thing to remember is that by default, the switch assumes all ports untrusted, so make sure to configure trusted ports on the switch if applying DHCP snooping on the switch.
To configure dhcp snooping enter the command below:
(config)#ip dhcp snooping vlan
Then configure the port of the trusted DHCP server:
(config)#int fa
(config)#ip dhcp snooping trust // trust the port for sending dhcp offers. There are also other option such as limit and vlan
To add the DHCP option82 relay agent information put:
(config)#ip dhcp snooping information option
Finally, to show dhcp snooping information the command "#show ip dhcp snooping" can be used.
No comments:
Post a Comment