01-27-2016 10:20 PM - edited 03-08-2019 03:33 AM
I am currently studying CCNA-S through Netacad and have been introduced to DHCP Snooping, DIA and IPSG. I understand the basic idea of the binding table but have been left with some unanswered questions:
1. How do you baseline the bindings table in the first place?
2. If DCHP messages not matching the binding table are discarded, how are new legitimate clients introduced to the network?
3. At what point does the switch transition from creating bindings to policing against the bindings?
Any references to a good tutorial or document would be most welcome.
Kind Regards
Dean
02-07-2016 01:12 PM
Hello dean.farr4331,
I will try to answer your question in-line:
1. How do you baseline the bindings table in the first place?
2. If DCHP messages not matching the binding table are discarded, how are new legitimate clients introduced to the network?
By adding them in the binding database, then they will be validated
3. At what point does the switch transition from creating bindings to policing against the bindings?
"Packet Validation
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
•The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
•The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
•The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0."
I hope it will helps, I also suggest to read the complete Cisco documentation about DHCP Snooping: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1114389
L.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide