DHCP Snooping on a network without a DHCP server?

eddie.moore1058 · ‎04-12-2018

From my understanding, this will not work. However, my understanding is limited and I feel the need to ask the question anyway.

Is there any benefit to enabling DHCP Snooping on a switch where NONE of the VLANs utilize a DHCP server? i.e. ALL IP Addresses are statically set.

The reason I'm asking, we are focusing on security and all security best practices for a new project. I don't want a rogue hack job to be able to gain physical access to my switches and plug in a dhcp server. If someone were to try, I want the port to lock out immediately.

YES, I have port security enabled on all ports. MAX 1 on most except for the VRTX server ports since they generate multiple random MAC addresses. YES violation is SHUTDOWN for my port security. Yes, I'm considering this simply as another layer of potential security. NO, I do NOT think it will work. However, I'm not the smartest guy in the world so I ask questions.

Thanks in advance... Have a great day.

Ben Walters · ‎04-13-2018

It does seem unnecessary with the other port security you have enabled and considering the fact that all devices on the subnet have static addresses they wouldn't even be attempting to obtain a DHCP address.

That said it wouldn't hurt to have DHCP snooping enabled and it would offer something beyond what the switch already does. Any DHCP requests coming from devices will not be forwarded by the switch unless it is to a trusted port, so if none of the ports are trusted no DHCP messages will be forwarded anywhere else on the VLAN.

It would have to be a pretty specific scenario to make DHCP snooping worthwhile in your setup. If you don't have your own DHCP server for the VLAN and devices will never be asking for DHCP addresses it just doesn't seem worth the effort of enabling DHCP snooping.

eddie.moore1058 · ‎04-20-2018

"That said it wouldn't hurt to have DHCP snooping enabled and it would offer something beyond what the switch already does. Any DHCP requests coming from devices will not be forwarded by the switch unless it is to a trusted port, so if none of the ports are trusted no DHCP messages will be forwarded anywhere else on the VLAN."

This line may prove itself to be the useful line... Will have to test this in a Lab environment to see if it truly works like that.

Thanks

eddie.moore1058 · ‎04-20-2018

"It does seem unnecessary with the other port security you have enabled and considering the fact that all devices on the subnet have static addresses they wouldn't even be attempting to obtain a DHCP address."

This line.. not so much...

The intent here is to prevent rogue machines to gain access to my network. Yes, "sw port-security violation shutdown" and "sw port-security max 1" are used on nearly EVERY port. Except the ports where we have VRTX servers connecting to the core switch. The VRTX servers are setup for virtual machines. Those VMs generate random MAC addresses.

This is a FAR FETCHED scenario. Physically, the switches are behind about 8 layers of security with armed guards protecting them. However, since security is "Defense in Depth", this "idea" may just add one more level of security for this hypothetical scenario that should NEVER happen.