안녕하세요 향기입니다~*
Cisco 장비에서 DHCP Snooping 셋팅법입니다.
DHCP Snooping 기능은 Trust가 된 DHCP 외에는 DHCP를 장비에서 거부를 하게 하는 방법입니다.
사내에 엉뚱한 테스트나 DHCP로 고생한 적이 있으신 분들은 사용하시면 좋습니다.
DHCP Snooping
A DHCP server normally provides all the basic information a client PC needs to operate on a
network. For example, the client might receive an IP address, a subnet mask, a default gateway
address, DNS addresses, and so on.
Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as
that same client PC. Now when the client broadcasts its DHCP request, the rogue server could
send a carefully crafted DHCP reply with its own IP address substituted as the default gateway.
When the client receives the reply, it begins using the spoofed gateway address. Packets destined
for addresses outside the local subnet then go to the attacker’s machine first. The attacker can
forward the packets to the correct destination, but in the meantime, it can examine every packet
that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged
into the path and the client doesn’t realize it.
Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack.
When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate
DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.html
