Solved: DHCP Snooping Binding Table Question

Dean Romanelli · ‎06-03-2013

Hi All,

I have a question regarding the DHCP Snooping/Binding Table:

The way I understand it, is that when DHCP snooping is enabled, the switch builds a Binding table that has all of the trusted MAC addresses and their IP DHCP mappings. The firewall function of DHCP Snooping then looks at the traffic and consults the binding table before permitting/denying the traffic to reach the DHCP server.

1. How is the DHCP Binding table initially built? Does it send a broadcast to all stations/devices currently pulling down a leased address to reply with it's MAC-IP?

2. If so, how does DHCP Snooping handle new stations being added to the network once the binding table has been built? Won't those stations be considered rogues, as their DHCPDISCOVER message will be seen by the firewall function as an unknown/untrusted MAC that is not in the binding table? Would I have to disable and re-enable snooping every time a new station is added to the network?

3. Does the firewall function occur at the access port? I would imagine it does, since trunk ports are usually trusted.

Thanks in advance for any help.

cadet alain · ‎06-03-2013

Hi;

you only need to trust the port going upward your legitimate DHCP server so that the DHCP server messages are not dopped inbound as by default all ports are untrusted.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎06-03-2013

Hi,

1) the switch looks for the DHCP leased addresses by "inspecting the DHCP messages and then inserts the corresponding fields in the DHCP snooping database.

2) DHCP snooping by itself will only drop DHCP server messages on untrusted ports, it would be used by DAI to alleviate ARP spoofing and by IP Source Guard to prevent IP spoofing or users from giving static IPs to the hosts having a binding

in the table.

3) It prevents Rogue DHCP servers on untrusted ports and other features leveraging DHCP Snooping database will prevent hosts from sending false ARP replies or change their IP and /or impersonating another IP(spoofing)

Regards

Alaiin

Don't forget to rate helpful posts.

Dean Romanelli · ‎06-03-2013

Hi Alain,

Ok, so let me ask you this then:

If I configure DHCP snooping on my access switch, and I set all my access ports to a trusted state, then snooping is never going to drop any return traffic from my DHCP server, right?. However, if I set all my access ports to an untrusted state, and then try to add a new station/host to one of those untrusted ports, then that new station will never recieve a lease, because snooping will keep dropping the responses from the DHCP server, correct? So if I want to add a new station, I need to set the port status to trusted.

If this is true, than what about a disgruntled employee who plugs a hub into his access port (which is trusted, as it connects to an employee station) and plugs a rogue DHCP server into the hub? How does DHCP snooping prevent that from happening if the port is trusted?

cadet alain · ‎06-03-2013

Hi;

you only need to trust the port going upward your legitimate DHCP server so that the DHCP server messages are not dopped inbound as by default all ports are untrusted.

Regards

Alain

Don't forget to rate helpful posts.