No, you do not trust the client ports. The switch looks at DHCP lease messages that servers send so you need no trust client ports Regards,
Joe Astorino - CCIE #24347 R&S Technical Instructor - IPexpert, Inc. Cell: +1.586.212.6107 Fax: +1.810.454.0130 Mailto: [email protected] -----Original Message----- From: Wilson Tuma <[email protected]> Date: Fri, 8 Jan 2010 23:08:34 To: <[email protected]> Subject: [OSL | CCIE_RS] Help in Understanding DHCP snooping. Hi Joe Thanks for the explanation. I believe should have said dynamically instead of automatically. If I understand your explanation. For the database to be dynamically build one need to specifically trust the client port as well by using the "ip dhcp snooping trust" command. Right? Thanks Wilson Tuma =================================================================== Hi all I need some help to to understand DHCP Snooping. My understanding is that DHCP Snooping is a dhcp security feature in which dhcp request are matched against a dhcp snooping databases. Request which pass security checks are processes and those which do not are discarded. Normally all port are considered to be untrusted ports and and port on which dhcp server are connected need to be specifically configured as trusted with the ip dhcp snooping trust command. I also understand this database can be populated manually. My questions are. 1. Can the dhcp snooping database be automatically populated and if so how does it work. 2. What is used to distinguish request from the internal network and external network in the following statement from the config manual. " An untrusted DHCP message is a message that is received from outside the network or firewall. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer?s switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks. The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface. In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network. Thanks. Wilson F. Tuma ==================================== CCNP, CCNA, MCSE, MCSA Box 1784 Douala Cell : +237 77 7753 753 Email : [email protected] ==================================== ------------------------------ Message: 6 Date: Fri, 8 Jan 2010 21:11:52 -0500 From: Joe Astorino <[email protected]> Subject: Re: [OSL | CCIE_RS] Help in Understanding DHCP snooping. To: Wilson Tuma <[email protected]> Cc: "RS Ipexpert." <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="windows-1252" Hey Wilson, Your overall understanding and assumptions are correct. I will try to answer your more specific questions. 1) Not really sure I understand what you mean by populate automatically. What happens is as you stated -- You set ports to trusted and if they are not trusted the switch will discard DHCP messages seen on those ports. This is how the database is built -- It looks at DHCP messages and populates the database based on things like MAC Address, IP address leased out, etc. So I guess what I am saying is that the process of populating the database already is automatic once you configure ports to be trusted. There is no way to make a port "automatically" trusted. 2) Requests are identified by the switch by simply looking into the packet and seeing the DHCP protocol information. The switch knows weather this is "internal" or "external" as you say by having information on weather the port is trusted or not. In an SP environment I would imagine you would want ports facing the customer to be untrusted. HTH On Fri, Jan 8, 2010 at 8:35 PM, Wilson Tuma <[email protected]> wrote: > > Hi all > > I need some help to to understand DHCP Snooping. > > My understanding is that DHCP Snooping is a dhcp security feature in which > dhcp request are matched against a dhcp snooping databases. Request which > pass security checks are processes and those which do not are discarded. > > Normally all port are considered to be untrusted ports and and port on > which dhcp server are connected need to be specifically configured as > trusted with the ip dhcp snooping trust command. > > I also understand this database can be populated manually. > > My questions are. > > 1. Can the dhcp snooping database be automatically populated and if so how > does it work. > 2. What is used to distinguish request from the internal network and > external network in the following statement from the config manual. > > " An untrusted DHCP message is a message that is received from outside the > network or firewall. When you use DHCP snooping in a service-provider > environment, an untrusted message is sent from a device that is not in the > service-provider network, such as a customer?s switch. Messages from unknown > devices are untrusted because they can be sources of traffic attacks. > The DHCP snooping binding database has the MAC address, the IP address, the > lease time, the binding type, the VLAN number, and the interface information > that corresponds to the local untrusted interfaces of a switch. It does not > have information regarding hosts interconnected with a trusted interface. > In a service-provider network, a trusted interface is connected to a port > on a device in the same network. An untrusted interface is connected to an > untrusted interface in the network or to an interface on a device that is > not in the network. > > > > > Thanks. > Wilson F. Tuma > ==================================== > CCNP, CCNA, MCSE, MCSA > Box 1784 Douala > Cell : +237 77 7753 753 > Email : [email protected] > ==================================== > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- Regards, Joe Astorino CCIE #24347 (R&S) Sr. Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
