Re: DHCP Snooping



2006/6/7, Sven Édouard <sven_edouard@xxxxxxxxxxxxxx>:
DHCP Security is ultimately a tricky proposition, keep in mind that
these communications are sent over UDP, which can be spoofed, therefore,
what you would need to do is force everyone's configuration to be a
static one in order to avoid a spoofed respose condition.


Port-based VLANs solve this problem. No traffic between clients is
sent past the router.


Also, there is the risk that someone on your network is using the same
MAC address as another user, and therefore could see all of the traffic
intended for that user. I think you could cover these cases by deploying
VLANS but just wanted to bring up these potential issues.

DHCP-authorized ARP solves this issue. The MAC is present in the ARP
table of the router only when a corresponding client obtained his
settings from DHCP server. Additional security may be gained if you
setup proper MAC filters on access ports of your switches.



Sven




On 6 Jun 2006 19:52:59 -0000, timpacalypse@xxxxxxxxx said:
> I'm looking at deploying DHCP Snooping in our environment. I just want
> to make sure I've got this straight.
>
> We only have 1 DHCP server. So the only port that I need to say is
> trusted is the one the DHCP Server is connected to, right? I don't want
> anyone to be able to deploy any rogue DHCP Servers in the network. We
> are using VLANS, but I don't need to set the trunk ports as trusted do I?
--
Sven Édouard
sven_edouard@xxxxxxxxxxxxxx

--
http://www.fastmail.fm - One of many happy users:
http://www.fastmail.fm/docs/quotes.html




--
Dmitry Cherkasov



Relevant Pages

  • Re: SuSe10.0 - windowsXP networking problem !! plz help!!!!
    ... >>> The ADSL modem is a DHCP server, not a client one merely decided to ... >>> the ADSL modem, and ALL clients get assigned Local IP addresses by the ... >>> ports and some 16 WAN ports. ... >>it's DHCP server to pass out the default gateway parameter to the clients. ...
    (alt.os.linux.suse)
  • RE: Listener on ports 137, 138, 139
    ... you are set to use DHCP but no DHCP server was found. ... Listener on ports 137, 138, 139 ... When checking port activity using TCPView I notice that I have a = listener ...
    (Security-Basics)
  • Re: Allocate IP /Subnet Address based on OU
    ... > different network cards on the DHCP server to ports included in each VLAN)? ... You only need a single NIC on the DHCP server and set the switch to ...
    (microsoft.public.win2000.active_directory)
  • Re: RAS is wasting my DHCP IP address
    ... Reduce the number of ports available in the rras Management Console for pptp and ... l2tp keeping in mind that you want to leave enough for user access. ... > Every time I see my DHCP server IP table ... ... > to any RAS related services ... ...
    (microsoft.public.win2000.security)
  • Migrate from DHCP Superscope to VLAN Based DHCP Scopes
    ... I recently started at a company using RFC1918 addresses in a large flat layer ... I've recommended we migrate to VLANS with a single DHCP server issuing ... area, but that's not my primary area of expertise), so I'd like to be able to ...
    (microsoft.public.windows.server.networking)