LAN Security - DHCP Snooping
Posted by SwitchBackup Team - čtvrtek 7. ledna 2016 13:04:44
There are many security functions, implemented in LAN switches to help us to protect our LAN. Start to use it!
To protect local network again rogue DHCP server (un authorized, false DHCP server), there is DHCP Snooping usually available. It allows us to say, which ports of switch can pass the DHCP answers by our DHCP server.
There are usually trunks - uplink ports, and of course the ports connected directly to the DHCP server.
A:identifiy all ports towards the officila DHCP server, turn DHCP snooping function globaly on and set trust on ports towars DHCP servers. For exapmle allow on the port gi 1/0/24 use
configure terminal
ip dhcp snooping
interface gi 1/0/24
ip dhcp snooping trust
end
B:in more complex network, option 82 in DHCP request is usually used to identify the source network segment (for DHCP scope). That is why the recomended setting on core and ditribution layer (non endpoint switches) is to allow distribute request incoming from trusted ports of other switches issuing
config terminal
ip dhcp snooping information option allow-untrusted
end
C:allow apply the function in specified VLAN
configure terminal
ip dhcp snooping vlan 10 - 20
end
When You apply DHCP snooping protection to Your network successfuly, do not stop. The next step is to apply the ARP inspection, which uses DHCP snooping information to protect LAN clients before man-in-the-middle attacks. Stay tuned!
See: