Hi everyone,
I am trying to understand the purpose of DHCP snooping to build database of IP-MAC-lease mapping that can be leveraged by other security features such as IP source guard, DAI etc.
Focusing only on DHCP snooping , what is the purpose of snooping DHCP server message?
I understand by monitoring untrusted ports we can ensure only DHCP client specific messages can be allowed on untrusted port, this will protect the network against rogue dhcp server being connected to untrusted ports.
https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/concept/port-security-dhcp-snooping-els.html
But then link posted above says following:
You can configure the switch to snoop DHCP server responses only from specific VLANs. Doing this prevents spoofing of DHCP server messages.
My understanding is only DHCP client specific messages are allowed on untrusted port, any DHCP server specific message on untrused port implies rogue DHCP server's presence therefor gets discarded. Given the above, how can we possibly snoop on DHCP server's specific message as valid DHCP server is connected to trusted port where no DHCP snooping occurs.
So how does switch know which ports are connected to DHCP server so it can only snoop dhcp server 's messages on those ports? Normally, we configure the ports connected to DHCP server as trusted, so DHCP snooping occurs on those ports.
Thanks !!
------------------------------
Be kind!!
------------------------------