Hi,DHCP discovery message is

vinciffs1 · ‎07-04-2016

Hi,

I would simply like to know why untrusted switch ports do allow dhcp requests at all? What is the logic behind it? Why don't they block dhcp traffic altogether?

Milos Megis · ‎07-06-2016

Hi, you connect end user devices (mostly PC) on untrusted ports.

They should be allowed to request IP address from DHCP.

But on untrusted ports there cannot be DHCP offer packets (packets sent by DHCP server). These packet can appear only on trusted ports. This mechanism protects network before connecting own DHCP server on untrusted ports (attack with DHCP rogue server).

vinciffs1 · ‎07-10-2016

So to be more exactly, do untrusted ports also allow dhcp discovery packets for instance? And any other dhcp packets that might come from a dhcp client, but don't allow packets such as offer and other server-specific packets? In the curriculum, it only briefly talked about these REQ and ACK, as if these were the only ones involved in the dhcp process.

Milos Megis · ‎07-11-2016

Hi,
DHCP discovery message is first message from client in DHCP process so it will be allowed on untrusted ports.

Also other kinds of messages are discarded:
- all messages from DHCP server received on untrusted port
- messages from DHCP client in which value "client MAC address" doesn´t match with MAC address of sender
- messages RELEASE and DECLINE from DHCP client, which MAC address is in database on different port than from which message arrived
- messages received on untrusted port, in which DHCP relay address is different than 0.0.0.0 or if there is option-82 in it

Message which was not discarded will be sent only via trusted port

dhcp snooping untrusted - only requests