Hello, Remember that DHCP snooping is not used to "authenticate" DHCP snooping. Once built, DHCP snooping database can be used for IP spoofing, but nowhere does the client actually authenticate.
Another thing I read below is that you slightly misunderstand the way this works. As you wrote, let's say that we have a switch with some ports unutrusted and one port with the DHCP server. There is no database on the switch. Then, on port #1 we receive DHCP discovery from the client. This gets flooded to all ports in the VLAN (because it's broadcast). DHCP server sends offer to the client and lient accepts this offer - this was all unicast and this is what DHCP snooping will track and build database from. When the server sends an offer, DHCP snooping process will pick this information. Then the client will send DHCP request and snooping is going to say "this looks like a done deal". When DHCP server finally confirms the request, the snooping process will save the client binding (port, vlan, mac address, ip address, etc) into its local snooping database. This is how database is built dynamically. Now, there could be some cases when you have manual bindings. For example... there is no DHCP server in your network, but you still want to use services provided by DHCP snooping. In those cases, you need to feed the DHCP snooping process a pre0built database. More clear? :-) -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Community: http://www.ipexpert.com/communities On Sat, Jan 9, 2010 at 09:59, Wilson Tuma <[email protected]> wrote: > Hi Marko > > Thanks for the response but I am even more cofused now. > > IP dhcp snoopting put all ports in the given vlan in the untrusted state. > All dhcp request received from this port they will be forwared to the DHCP > server which is configured on the trusted port. Now The DHCP database is > needed to verify the authenticity of the client requesting the IP address. If > the dhcp binding information for the client has not be manually entered to > the dhcp snooping database, how then will information to obtained to actually > authenticate the requesting client. > > I am looking for how the dhcp binding database dynamically built. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
