Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
5
Replies

few question on dhcp snooping,dynamic arp inspection.

Go to solution
sarahr202
Level 5
Level 5

‎02-16-2013 10:51 AM - edited ‎03-07-2019 11:45 AM

Hi everybody.

I just want to verify  two things.

Dhcp snooping:

host1--------untrusted-f1/1--SW--f1/2--untrusted------Dhcp server.

When host 1  sends dhcp discover, sw1 will forward it out of f1/2 which is untrusted to dhcp server. However when dhcp server sends dhcp offer message sw1 will drop it because it is received on untrusted port.  This is my understanding  Is it correct? 

Because I  was watching a you tube video on dhcp snooping in which the presenter claims sw1 will not forward the dhcp discover message out of f1/2 because it is untrusted.  Is it not true a switch configured with dhcp snooping monitors the incoming dhcp message on untrusted port ; sw does not monitor outgoing dhcp messages  on untrusted port? 

Dynamic arp inspection:

h1------untrusted f1/1---sw---trusted----host2.

This is my understanding.

Sw will monitor all incoming arp request and response message on untrusted f1/1. . Sw  will not monitor the outgoing  arp response on f1/1 untrusted port. or will it?

thanks and have a great weekend.         

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jeff Van Houten
Level 5
Level 5

‎02-16-2013 12:26 PM

The answer to the first question is yes. Ports connected to the dhcp server should be marked trusted.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎02-16-2013 12:55 PM

Hello Sarah,

host1--------untrusted-f1/1--SW--f1/2--untrusted------Dhcp server.
When  host 1  sends dhcp discover, sw1 will forward it out of f1/2 which is  untrusted to dhcp server. However when dhcp server sends dhcp offer  message sw1 will drop it because it is received on untrusted port.  This  is my understanding  Is it correct? 

No, this would not be a correct description. A client DHCP message (i.e. DISCOVER, REQUEST, INFORM, RELEASE, DECLINE) may never be forwarded out an untrusted port. It may be received on an untrusted port but it should never be forwarded out an untrusted port. This is to prevent other clients from eavesdropping on some other station's communication with DHCP server.

Because I  was watching a you tube video on dhcp snooping in which the  presenter claims sw1 will not forward the dhcp discover message out of  f1/2 because it is untrusted.

The presenter was correct.

Is it not true a switch configured with dhcp snooping monitors the incoming dhcp message on untrusted port ;

This is true, however, we have to be more precise about the word "monitor". On an untrusted port, a DHCP Snooping-enabled switch automatically drops all server messages (OFFER, ACK, NAK). Client messages are permitted if they pass a certain set of checks. However, client messages can be forwarded out trusted ports only; server messages can be forwarded out only a port towards the client, and are never flooded, even if they are broadcasted by server.

h1------untrusted f1/1---sw---trusted----host2.
This is my understanding.
Sw  will monitor all incoming arp request and response message on untrusted  f1/1. . Sw  will not monitor the outgoing  arp response on f1/1  untrusted port. or will it?

Correct - DAI applies to incoming ARP messages, not to outgoing messages.

Best regards,

Peter

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jeff Van Houten
Level 5
Level 5

‎02-16-2013 12:26 PM

The answer to the first question is yes. Ports connected to the dhcp server should be marked trusted.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
paul driver
VIP
VIP

‎02-16-2013 12:37 PM

Hello sarah,

You are correct on both counts

Dhcp snooping -

An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
A trusted interface is an interface that is configured to receive only messages from within the network.

Dai

Intercepts all ARP requests and responses on untrusted port


res

Paul

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎02-16-2013 12:55 PM

Hello Sarah,

host1--------untrusted-f1/1--SW--f1/2--untrusted------Dhcp server.
When  host 1  sends dhcp discover, sw1 will forward it out of f1/2 which is  untrusted to dhcp server. However when dhcp server sends dhcp offer  message sw1 will drop it because it is received on untrusted port.  This  is my understanding  Is it correct? 

No, this would not be a correct description. A client DHCP message (i.e. DISCOVER, REQUEST, INFORM, RELEASE, DECLINE) may never be forwarded out an untrusted port. It may be received on an untrusted port but it should never be forwarded out an untrusted port. This is to prevent other clients from eavesdropping on some other station's communication with DHCP server.

Because I  was watching a you tube video on dhcp snooping in which the  presenter claims sw1 will not forward the dhcp discover message out of  f1/2 because it is untrusted.

The presenter was correct.

Is it not true a switch configured with dhcp snooping monitors the incoming dhcp message on untrusted port ;

This is true, however, we have to be more precise about the word "monitor". On an untrusted port, a DHCP Snooping-enabled switch automatically drops all server messages (OFFER, ACK, NAK). Client messages are permitted if they pass a certain set of checks. However, client messages can be forwarded out trusted ports only; server messages can be forwarded out only a port towards the client, and are never flooded, even if they are broadcasted by server.

h1------untrusted f1/1---sw---trusted----host2.
This is my understanding.
Sw  will monitor all incoming arp request and response message on untrusted  f1/1. . Sw  will not monitor the outgoing  arp response on f1/1  untrusted port. or will it?

Correct - DAI applies to incoming ARP messages, not to outgoing messages.

Best regards,

Peter

0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Peter Paluch

‎02-16-2013 01:02 PM

Thanks Peter.

0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Peter Paluch

‎02-16-2013 01:27 PM

Hi Peter

An extract from one of my books:

Dynamic ARP inspection is a security feature that validates ARP packets  in a network. Dynamic ARP inspection determines the validity of packets  by performing an IP-to-MAC address binding inspection stored in a  trusted database, (the DHCP snooping binding database) before forwarding  the packet to the appropriate destination. Dynamic ARP inspection will  drop all ARP packets with invalid IP-to-MAC address bindings that fail  the inspection. The DHCP snooping binding database is built when the  DHCP snooping feature is enabled on the VLANs and on the switch.

What does a switch configured with " DAI" check in a received arp message on   auntrusted port?

The extract from the book says mac-ip binding not a word about the port where such ip-mac is valid. For example if a switch has a dhcp binding as:

199.199.199.1    0000.000.0001      f0/1

A rogue computer connected to port f1/2 spoofs the ip address 199.199.199.1 and mac address 0000.0000.0001 will be successful in sending the arp message because as per book's extract, the mac-ip bindings matches.

I dont have the right equipment to test it out but my guess the switch should also check the port( i.e mac-ip binding and the port in my example it is f0/1) in dhcp binding not just mac-ip binding  to foil such attack.

what do you think?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents