Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

DHCP snooping : Snooping DHCP server message only

  • 1.  DHCP snooping : Snooping DHCP server message only

    Posted 24 days ago
    Edited by LEEBAHI 24 days ago

    Hi everyone,

    I am trying to understand the purpose of DHCP snooping to build database of IP-MAC-lease mapping that can be leveraged by other security features such as IP source guard, DAI  etc.

    Focusing only on DHCP snooping , what is the purpose of snooping DHCP server message?

    I  understand by monitoring untrusted ports we can ensure only DHCP client specific messages can be allowed on untrusted port, this will protect the network against rogue dhcp server being connected to untrusted ports.

    https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/concept/port-security-dhcp-snooping-els.html

    But then  link posted above says following:

    You can configure the switch to snoop DHCP server responses only from specific VLANs. Doing this prevents spoofing of DHCP server messages.

    My understanding is only DHCP client specific messages are allowed on untrusted port, any DHCP server specific message on untrused port implies rogue DHCP server's  presence  therefor gets discarded. Given the above, how can we possibly snoop on DHCP server's specific message as valid DHCP server is connected to trusted port where no DHCP snooping  occurs.

    So how does switch know which ports are connected to DHCP server so it can only snoop dhcp server 's messages on those ports? Normally, we configure the ports connected to DHCP server as trusted, so DHCP snooping  occurs on those ports.

    Thanks !!



    ------------------------------
    Be kind!!
    ------------------------------