Sunday, December 31, 2017

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.a DHCP snooping

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

         -    DHCP Snooping filters untrusted DHCP messages by building and maintaining a DHCP snooping binding database
         -    The DHCP snooping binding database is also known as snooping binding table
         -    DHCP snooping acts like a firewall between untrusted hosts and DHCP servers
         -    Used to differentiate between untrusted interfaces connected to endpoint and trusted interfaces connected to DHCP servers or other switches
         -    For DHCP snooping to function, all DHCP servers must be connected to trusted switch interfaces
         -    Messages from unknown devices are untrusted
         -    DHCP snooping binding database contains the MAC address, IP address, Lease time, binding type, VLAN number and interface information
         -    DHCP snooping binding database contains information relating to local untrusted interfaces of a switch
         -    DHCP snooping binding database does not contain information relating to host on trusted interfaces

         -    Comparison is done between the source MAC address and the DHCP client hardware address
         -    If the addresses match, the packet is forward
         -    if the addresses do not match, the switch drops the packet
       
         -    Packets get dropped for the following reasons:
             -    DHCP messages received from outside the network or firewall
             -    Packet received on an untrusted interface and the source MAC and DHCP client hardware address does not match
             -    DHCP broadcast message that has a MAC address in the DHCP snooping binding database but the information in the database does not match the interface on which the message was received
             -    A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0
             -    the relay agent forwards a packet that includes option-82 information to an untrusted port.
             -    DHCP option-82 feature is only supported when DHCP snooping is enabled globally
             -    Users must be in tethe VLAN configured for DHCP snooping to take advantage of it
        -    When DHCP snooping is enabled, the switch use the DHCP snooping binding database to store information about untrusted interfaces
        -    The DHCP snooping binding database can store up to 8192 bindings
        -    Database agent stores the bindings in a faile at a configured location
        -    To keep the entry when the switch reloads, the DHCP snooping database agent must be used

        -    DHCP snooping is managed on the stack master
        -    All statistics are generated on the stack master. When the stack master changes, the statistics counters get reset

        -    DHCP snooping is not active until DHCP snooping is enabled on a VLAN
        -    DHCP Snooping can be configured on Private VLANs
        -    When DHCP snooping is enabled on a Private VLANs, the configuration is propagated to both the primarily VLAN and its associated secondary VLANs.
        -    If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLAN
        -    If configuration changes are made on the secondary VLAN after configuring the primary VLAN, the changes made to the secondary VLAN does not take effect
        -    DHCP snooping must be configured on the primary VLAN


References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

No comments:

Post a Comment