Re: DHCP Snooping

["Dmitry Cherkasov" <doctorchd () gmail com>]

2006/6/7, Sven Édouard <sven_edouard () fastmail co uk>:
> DHCP Security is ultimately a tricky proposition, keep in mind that
> these communications are sent over UDP, which can be spoofed, therefore,
> what you would need to do is force everyone's configuration to be a
> static one in order to avoid a spoofed respose condition.

Port-based VLANs solve this problem. No traffic between clients is
sent past the router.


> Also, there is the risk that someone on your network is using the same
> MAC address as another user, and therefore could see all of the traffic
> intended for that user. I think you could cover these cases by deploying
> VLANS but just wanted to bring up these potential issues.

DHCP-authorized ARP solves this issue. The MAC is present in the ARP
table of the router only when a corresponding client obtained his
settings from DHCP server. Additional security may be gained if you
setup proper MAC filters on access ports of your switches.


> Sven
>
>
>
>
> On 6 Jun 2006 19:52:59 -0000, timpacalypse () yahoo com said:
> > I'm looking at deploying DHCP Snooping in our environment.  I just want
> > to make sure I've got this straight.
> >
> > We only have 1 DHCP server.  So the only port that I need to say is
> > trusted is the one the DHCP Server is connected to, right?  I don't want
> > anyone to be able to deploy any rogue DHCP Servers in the network.  We
> > are using VLANS, but I don't need to set the trunk ports as trusted do I?
> --
>   Sven Édouard
>   sven_edouard () fastmail co uk
>
> --
> http://www.fastmail.fm - One of many happy users:
>   http://www.fastmail.fm/docs/quotes.html


--
Dmitry Cherkasov