An essential portion of passing the Cisco CCNP BCMSN examination and preserving your community from burglars is to realize that even each day protocols and services can function against us when that intruder is in our network.
It could be really hard to imagine, but a little something as innocent as DHCP can in fact lead to trouble for your community. When a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets – and accepts the first Give it will get!
Aspect of that DHCPOffer is the address to which the host should really established its default gateway. What if a DHCP server that does not belong on our network – a rogue DHCP server – is put on that subnet?
If that host makes use of the DHCPOffer from the rogue server, the host could stop up working with the rogue server as its default gateway or DNS server!
We can reduce this with DHCP Snooping. DHCP Snooping classifies interfaces as both dependable or untrusted.
DHCP messages acquired on dependable interfaces will be permitted to pass by the switch, but DHCP messages acquired on untrusted interface final result in the interface itself being positioned into err-disabled point out.
By default, the switch considers all ports untrusted – which implies we greater don’t forget to configure the swap to trust some ports when we help DHCP Snooping!
To start with, we require to allow DHCP Snooping on the full change:
SW1(config)#ip dhcp snooping
To permit DHCP Snooping for a unique VLAN, use the ip dhcp snooping command.
SW1(config)#ip dhcp snooping vlan 4
Ports can then be configured as dependable with the ip dhcp snooping belief command.
SW1(config-if)#ip dhcp snooping trust
There are other possibilities obtainable with DHCP Snooping, and we’ll look at some of people in a foreseeable future tutorial. DHCP Snooping is an critical topic for your CCNP BCMSN examination, and it is really just as essential in serious-earth networks – so get familiar with it for both equally the test area and the community home!