Re: DHCP Snooping
- From: "Dmitry Cherkasov" <doctorchd@xxxxxxxxx>
- Date: Thu, 8 Jun 2006 14:21:19 +0300
2006/6/7, Sven Édouard <sven_edouard@xxxxxxxxxxxxxx>:
DHCP Security is ultimately a tricky proposition, keep in mind that
these communications are sent over UDP, which can be spoofed, therefore,
what you would need to do is force everyone's configuration to be a
static one in order to avoid a spoofed respose condition.
Port-based VLANs solve this problem. No traffic between clients is
sent past the router.
Also, there is the risk that someone on your network is using the same
MAC address as another user, and therefore could see all of the traffic
intended for that user. I think you could cover these cases by deploying
VLANS but just wanted to bring up these potential issues.
DHCP-authorized ARP solves this issue. The MAC is present in the ARP
table of the router only when a corresponding client obtained his
settings from DHCP server. Additional security may be gained if you
setup proper MAC filters on access ports of your switches.
On 6 Jun 2006 19:52:59 -0000, timpacalypse@xxxxxxxxx said:
> I'm looking at deploying DHCP Snooping in our environment. I just want
> to make sure I've got this straight.
> We only have 1 DHCP server. So the only port that I need to say is
> trusted is the one the DHCP Server is connected to, right? I don't want
> anyone to be able to deploy any rogue DHCP Servers in the network. We
> are using VLANS, but I don't need to set the trunk ports as trusted do I?
http://www.fastmail.fm - One of many happy users:
- Prev by Date: RE: Security Tips
- Next by Date: Re: NAC product
- Previous by thread: Re: DHCP Snooping
- Next by thread: Re: DHCP Snooping