📖 What is DHCP Snooping?
DHCP Snooping is a Layer 2 security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. It prevents rogue DHCP servers from assigning incorrect IP addresses to clients by filtering unauthorized DHCP messages.
"This is specifically designed to stop 'Man-in-the-Middle' attacks. The switch builds a binding table of trusted MAC and IP addresses to enforce this."
📚 Certification: CompTIA Network+ Certification Exam (N10-009)
🔑 What are the Key Concepts of DHCP Snooping?
- ▸ Trusted and Untrusted Ports: Administrators designate ports connected to legitimate DHCP servers as trusted, while all other user-facing ports are set to untrusted by default.
- ▸ DHCP Binding Database: The switch maintains a dynamic table mapping MAC addresses to assigned IP addresses, lease times, and VLANs to validate network traffic.
- ▸ Rogue Server Mitigation: The feature blocks DHCP-OFFER and DHCP-ACK messages from entering untrusted ports, preventing unauthorized servers from assigning incorrect network configurations.
- ▸ MitM Attack Prevention: By ensuring only authorized servers provide IP and gateway information, it stops attackers from redirecting traffic through a malicious device.
- ▸ Synergy with DAI: DHCP Snooping provides the foundational binding table used by Dynamic ARP Inspection (DAI) to prevent ARP poisoning and IP spoofing attacks.
🎯 How does DHCP Snooping appear on the N10-009 Exam?
You may be asked to identify the best Layer 2 security mechanism to implement after discovering that an employee plugged a home router into a wall jack, causing IP conflicts.
A scenario might describe a need to prevent Man-in-the-Middle attacks where an attacker is providing false default gateway information to clients; you must select DHCP Snooping as the solution.
Expect questions where you must distinguish between trusted and untrusted ports, specifically identifying which port type should be assigned to a legitimate DHCP server to ensure connectivity.
❓ Frequently Asked Questions
Can DHCP Snooping prevent ARP spoofing on its own?
No, DHCP Snooping only prevents rogue DHCP servers. However, it creates the binding database that Dynamic ARP Inspection (DAI) uses to verify ARP packets and stop spoofing.
What is the primary risk of misconfiguring a port as untrusted when a server is connected?
If a legitimate DHCP server is on an untrusted port, the switch will drop its DHCP-OFFER messages, preventing all clients on that switch from receiving IP addresses.