Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1001
Views
1
Helpful
5
Replies

DHCP Snooping and Static IP Addresses

Go to solution
Gregman3800
Level 1
Level 1

‎07-02-2024 07:32 AM

When using DHCP Snooping along with static IP addresses I understand that you will need to add those IP addresses to the binding database for DAI and IP verify source to work.  My question is if this is worth it?  It seems like a huge pain to list all of these IP addresses and possibly MAC addresses manually.  Just wanted to know what the community thinks about this hardening requirement.  Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎07-02-2024 07:53 AM - edited ‎07-02-2024 07:53 AM

Hello @Gregman3800 

 

This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
M02@rt37
VIP
VIP

‎07-02-2024 07:53 AM - edited ‎07-02-2024 07:53 AM

Hello @Gregman3800 

 

This approach significantly enhances network security, it involves a substantial administrative burden when static IP addresses are used, as each static IP and its corresponding MAC address must be manually added to the DHCP Snooping binding database. This task is labor-intensive and error-prone, especially in large networks, leading to potential scalability issues and the risk of misconfigurations that could disrupt network operations...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-02-2024 08:30 AM

there is three network  mode here 
1-all endpoint run DHCP <<- here it easy to config DHCP snooping and DAI and IPSG 
2-some endpoint run static other run DHCP <<- here we use static entry to binding 
3-all endpoint run static <<- it so so difficult to use static entry to binding 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-02-2024 10:52 AM

I check for L2 security instead of static binding I will update you tomorrow

MHM 

Go to solution
Gregman3800
Level 1
Level 1
In response to MHM Cisco World

‎07-02-2024 11:04 AM

Thanks that would be good to know!

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Gregman3800

‎07-02-2024 11:27 AM - edited ‎07-02-2024 01:01 PM

this brief l2 attack and defensive 
the most import is two ARP attack and DHCP server attack, 
the ARP attack we can use VLAN ACL or private VLAN <<- correction you must also use port ACL for ARP attack
but for DHCP server attack the table dont show that but port ACL can prevent any l2 port to send DHCP offer unless it port connect to DHCP server. 

MHM

36cff938-b48d-4c2f-94a6-7b352de9ee51.png

0 Helpful
Top