An significant portion of passing the Cisco CCNP BCMSN test and defending your community from intruders is to realize that even every day protocols and providers can do the job against us as soon as that intruder is in our community.
It may be tricky to think, but one thing as innocent as DHCP can actually guide to difficulty for your network. When a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets – and accepts the initially Present it will get!
Component of that DHCPOffer is the address to which the host ought to set its default gateway. What if a DHCP server that does not belong on our network – a rogue DHCP server – is positioned on that subnet?
If that host employs the DHCPOffer from the rogue server, the host could conclude up applying the rogue server as its default gateway or DNS server!
We can protect against this with DHCP Snooping. DHCP Snooping classifies interfaces as either trustworthy or untrusted.
DHCP messages been given on trusted interfaces will be permitted to move via the change, but DHCP messages been given on untrusted interface outcome in the interface alone currently being put into err-disabled state.
By default, the change considers all ports untrusted – which usually means we superior bear in mind to configure the switch to rely on some ports when we empower DHCP Snooping!
Initially, we want to permit DHCP Snooping on the entire change:
SW1(config)#ip dhcp snooping
To empower DHCP Snooping for a distinct VLAN, use the ip dhcp snooping command.
SW1(config)#ip dhcp snooping vlan 4
Ports can then be configured as reliable with the ip dhcp snooping belief command.
SW1(config-if)#ip dhcp snooping have confidence in
There are other possibilities out there with DHCP Snooping, and we will look at some of people in a potential tutorial. DHCP Snooping is an crucial topic for your CCNP BCMSN exam, and it’s just as vital in true-planet networks – so get acquainted with it for both equally the exam area and the community place!