Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
1
Replies

DHCP snooping without DHCP relay and Option 82

mmadruga
Level 1
Level 1

‎03-15-2005 06:33 AM - edited ‎03-02-2019 10:08 PM

We'd like to configure DHCP snooping on a local network using switches Cisco 2950 and switches 3750.

The DHCP server and clients are on the same subnet so we do not need to configure DHCP relay and the DHCP server does not support option-82 so we won't configure snopping information either.

So, our configuration would be:

config#ip dhcp snooping

config#no ip dhcp snooping information option

config-if#ip dhcp snooping trust (int for the DHCP server and interfaces that connect the switches)

all the user intefaces would be considered untrusted.

In this scenario, DHCP snooping still offers security? I mean, could we prevent an intruder DHCP server (someone user in our LAN pretending to be the DHCP server)?

Is there any another benefit that justify the DHCP snooping configuration with this scenario?

Thanks in advance,

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎03-21-2005 08:45 AM

The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.

In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

The switch drops a DHCP packet when one of these situations occurs:

A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.

A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.

The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.

A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

0 Helpful
Customers Also Viewed These Support Documents