Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Surely you configure DHCP on all interfaces connecting to untrusted clients as oppose to the answer given which is on the interface that connects to the trusted DHCP server?
NO DHCP snopping is configuered on trusted ports. Once you configuere DHCP snooping globally all ports are considered "untrusted" you have to go into the interface and specify which ports will be trusted. These ports will be allowed to reply to DHCP request from clients. Those ports that are "untrusted" will not be able to reply and the port will Err-Disable.
Could it not rather be the application of
ip dhcp snooping limit rate x
to untrusted ports? Like this, the limited rate of possible DHCP requests from the attacker would mitigate the exhaustion of IP addresses on the DHCP server.

DHCP snooping on trusted ports says, that only this port is allowed to reply to DHCP requests, but it is not mentionned, that it would limit the number of DHCP replies in any way. Of course, the port with the DHCP server must be declared trusted, but with this attack, no untrusted port will ever send DHCP replies, so DHCP snooping will not see it.

Not sure I got it right ... :-)

Forum Jump:

Users browsing this thread: 1 Guest(s)