DHCP Snooping
- DHCP snooping prevents the damage inflicted by several attacks that use DHCP.
- DHCP snooping causes a switch to examining DHCP messages & filter the inappropriate.
- DHCP snooping builds a table of IP address & port mappings
- this table builds based on the known DHCP messages
- this table is called the DHCP snooping binding table.
- This DHCP snooping binding table can be used by DAI & IP source Guard feature.
- DHCP snooping defeats certain attacks (man in the middle attack using DHCP) by considering port as untrusted.
- All DHCP messages on trusted ports are only allowed by DHCP snooping.
- To this DHCP clients should exist on untrusted ports.
- As a result, the switch filters incoming DHCP messages that are only sent by servers.
- From design point of view unused & unsecured user ports would be configured as untrusted to DHCP snooping.
- DHCP snooping examine the DHCP client messages on untrusted ports because other attacks can be made using DHCP client messages.
- DHCP servers identify clients based on their client hardware address as listed in the DHCP request.