DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch. For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, it verifies that the source MAC address and the DHCP client hardware address match (the default). If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
DHCP snooping considers DHCP messages that originate from any user-facing port that is not a DHCP server port as untrusted. From a DHCP snooping perspective, these untrusted user-facing ports must not send DHCP server type responses, such as DHCPOFFER, DHCPACK, or DHCPNAK.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch. For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, it verifies that the source MAC address and the DHCP client hardware address match (the default). If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
DHCP snooping considers DHCP messages that originate from any user-facing port that is not a DHCP server port as untrusted. From a DHCP snooping perspective, these untrusted user-facing ports must not send DHCP server type responses, such as DHCPOFFER, DHCPACK, or DHCPNAK.
My story comes that there is a local network cluster connected to the department network. The department network has a DHCP server A which provides DHCP services for all ports that forwards DHCP requests to it. However, my local network cluster has a local DHCP server B too, which provides a local DHCP service for local nodes only. Therefore, a conflict happens when the local cluster node requests DHCP service. This request may get response from DHCP server A or get response from DHCP server B, and it depends on the fact that which is faster to take the necessary action and ring the bell. This conflict is totally caused by the nature of DHCP request broadcast that goes everywhere among the network.
My solution is to block the DHCP packets (DHCP response packets) from the un-necessary department DHCP server A. A sample of such commands on a Cisco 3560 layer 3 switch comes as follows:
cisco3560#configure terminal Enter configuration commands, one per line. End with CNTL/Z. cisco3560(config)#ip dhcp snooping cisco3560(config)#ip dhcp snooping vlan 99 /* my local network vlan number */ cisco3560(config)#ip dhcp snooping information option cisco3560(config)#interface gigabitEthernet0/48 /* my local DHCP server B access */ cisco3560(config-if)#ip dhcp snooping trust cisco3560(config-if)#exit cisco3560(config)#ip dhcp snooping verify mac-address cisco3560(config)#end cisco3560#configure terminal Enter configuration commands, one per line. End with CNTL/Z. cisco3560(config)#interface gigabitEthernet0/47 /* department DHCP server A access */ cisco3560(config-if)#no ip dhcp snooping trust cisco3560(config-if)#end cisco3560#copy running-config startup-config This example shows how to display the DHCP snooping configuration for a switch. cisco3560# show ip dhcp snooping This example shows how to display the DHCP snooping binding entries for a switch. cisco3560# show ip dhcp snooping binding
Reference:
Configuring DHCP Features and IP Source Guard
How to configure a Cisco Layer 3 switch-InterVLAN Routing
No comments:
Post a Comment