This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.

CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E


Sunday, April 25, 2010

Question 26

Why would one use DHCP snooping?

2 comments:

Packets Analyzed said...

DHCP snooping provides a layer of security and ensures rouge DHCP servers cannot offer DHCP services to your clients.

DHCP server on port f0/10
Rouge DHCP server on port f0/11
VLANs used 10 - clients, 20 servers

Must enable DHCP snooping on the switch
ip dhcp snooping

You need to identify which VLANs will be using DHCP snooping
ip dhcp snooping vlan 10,20

Now you have to configure the ports that are trusted to offer DHCP services (All ports are untrusted by default).
interface fa0/10
ip dhcp snooping trust

To allow DHCP relay agent you must allow option 82, this is done with the following command
ip dhcp snooping information option

To rate limit the number of DHCP packets per second use the following command
ip dhcp snooping rate limit (pps)

Use the "show ip dhcp snooping"

Packets Analyzed said...

IP source guard can be used in combination with DHCP snooping. IP source guard prevents a host from spoofing an IP address that has been issued to a DHCP client. IP source guard can also work with static addresses.

Interface configuration commands
"ip verify source" (checks the IP Address)
"ip verify source binding " (checks the mac address)
"ip verify source port-security" (Checks MAC and IP)

*Must be used with "ip DHCP snooping" global configuration command

Post a Comment