DHCP Snooping

V

VeeDubbs

Limp Gawd
Joined
Dec 9, 2005
Messages
398
Hi all -

Quick question about dhcp snooping. I find lots of info on the web about this - but I can't quite figure out how to set it up for my needs.

I'm on a college campus and we have multiple residence halls. We've had a lot of issues with students bringing in routers and setting them up incorrectly and screwing up many other students in the same building. So we want to be able to have those bogus DHCP packets ignored (or dropped or whatever). I think this is where dhcp-snooping would come into play.

From what I understand we can put in an authorized server and trusted/untrusted ports and we can put in a policy to drop unauthorized dhcp responses. Is this true?

So I would put our DHCP server as the only authorized server? And I would put the only trusted port as the gig port since this is where DHCP would be coming from?

Hopefully this makes sense....
 
You pretty much have it.

DHCP snooping works by preventing DHCP acknowledgements from being sent into a port that is not considered secure. Enabling DHCP snooping can prevent people from bringing up rogue DHCP servers which can compromise security by shifting traffic through a "man-in-the-middle". This is, not coincidentally, called a "man-in-the-middle" attack.

There are also a few other nefarious things you can do with a rogue DHCP server, but the MITM attack is the most prolific.
 
Thanks Baked.

Hopefully you know a little more and can help out some more.

to setup the authorized server I do:

Code: 
dhcp-snooping authorized-server 10.2.3.4

to setup the trusted port I do:

Code: 
dhcp-snooping trust D21

to setup the untrusted policy, I do:

Code: 
dhcp-snooping option 82 untrusted-policy drop

This is the only place I could find the untrusted policy. What exactly is that option 82? Is it something in the packet declaring that it is a DHCP packet?

Also, under dhcp-snooping I see the database, verify and vlan options. Are you able to explain what those exactly are?

Thanks for anything you can help with!
 
Option 82 is for DHCP relay agents, also known as the IP helper service. When this is enabled on a switch, incoming DHCP requests will be tagged with the MAC addy and interface on which it is received, before they are forwarded off to the DHCP server. This is usually configured on access layer devices for additional security, if memory serves. The purpose is to pass on this information to upstream devices. When the DHCP server replies with the IP info, the option 82 information of the switch who first sent the request, is again encapsulated into the packet. The switch which first received the request sees this information, and forwards the DHCP reply, knowing that the request came from something directly connected to it.

The vlan option is to enable the DHCP snooper on a per-vlan basis, should you so desire. The database option is for hosting a large database of options and such for the DHCP snooper.
 
You must log in or register to reply here.
Back
Top