About Me
MikroTik Certified Switching Engineer (MTCSWE)
1 Introduction to Networking
1-1 Basic Networking Concepts
1-2 OSI Model
1-3 TCPIP Model
1-4 Network Devices
2 MikroTik RouterOS Basics
2-1 Introduction to RouterOS
2-2 RouterOS Interface Types
2-3 Basic Configuration
2-4 User Management
2-5 System Logging
3 Switching Fundamentals
3-1 Introduction to Switching
3-2 MAC Addresses
3-3 Ethernet Frame Structure
3-4 VLAN Basics
3-5 Trunking and Inter-VLAN Routing
4 MikroTik SwitchOS Basics
4-1 Introduction to SwitchOS
4-2 SwitchOS Interface Types
4-3 Basic Configuration
4-4 User Management
4-5 System Logging
5 VLAN Configuration
5-1 VLAN Creation and Configuration
5-2 VLAN Trunking Protocol (VTP)
5-3 Inter-VLAN Routing
5-4 VLAN Security
6 Spanning Tree Protocol (STP)
6-1 Introduction to STP
6-2 STP Operation
6-3 Rapid Spanning Tree Protocol (RSTP)
6-4 Multiple Spanning Tree Protocol (MSTP)
6-5 STP Configuration
7 Link Aggregation
7-1 Introduction to Link Aggregation
7-2 Link Aggregation Control Protocol (LACP)
7-3 Static Link Aggregation
7-4 Link Aggregation Configuration
8 Quality of Service (QoS)
8-1 Introduction to QoS
8-2 QoS Models
8-3 Traffic Shaping and Policing
8-4 QoS Configuration
9 Security Features
9-1 Introduction to Network Security
9-2 Port Security
9-3 Access Control Lists (ACLs)
9-4 DHCP Snooping
9-5 Dynamic ARP Inspection (DAI)
10 Advanced Switching Topics
10-1 Layer 3 Switching
10-2 Multicast Routing
10-3 Link Layer Discovery Protocol (LLDP)
10-4 Power over Ethernet (PoE)
11 Troubleshooting and Maintenance
11-1 Common Switching Issues
11-2 Troubleshooting Tools
11-3 Switch Maintenance
11-4 Backup and Restore
12 MikroTik Certification Exam Preparation
12-1 Exam Overview
12-2 Study Tips
12-3 Practice Questions
12-4 Exam Registration and Scheduling
9.4 DHCP Snooping Explained

9.4 DHCP Snooping Explained

Key Concepts of DHCP Snooping

DHCP Snooping is a security feature that protects against rogue DHCP servers and ensures that only trusted DHCP servers can provide IP addresses to clients. Key concepts include:

DHCP Snooping

DHCP Snooping is a security feature that filters and monitors DHCP traffic to prevent unauthorized DHCP servers from providing IP addresses to clients. It ensures that only trusted DHCP servers can respond to DHCP requests.

Example: In a corporate network, DHCP Snooping can be enabled on a switch to ensure that only the authorized DHCP server in the network can provide IP addresses to clients. This prevents rogue DHCP servers from disrupting network operations.

Trusted and Untrusted Ports

Trusted ports are designated as safe for DHCP traffic, meaning that DHCP responses from these ports are allowed. Untrusted ports are monitored for DHCP traffic, and any DHCP responses from these ports are blocked unless they come from a trusted DHCP server.

Example: On a MikroTik switch, you can configure port 1 as a trusted port connected to the authorized DHCP server and all other ports as untrusted. This ensures that only DHCP responses from the authorized server are accepted.

DHCP Snooping Database

The DHCP Snooping database stores DHCP bindings, which are records of IP addresses assigned to clients and their corresponding MAC addresses. This database is used to validate DHCP traffic and ensure that only legitimate DHCP bindings are allowed.

Example: When a client receives an IP address from the DHCP server, the switch records this binding in the DHCP Snooping database. This binding is then used to validate future DHCP traffic and ensure that the client's IP address is legitimate.

Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) is a security feature that uses DHCP Snooping bindings to validate ARP packets. It ensures that only ARP packets with legitimate IP-to-MAC bindings are allowed, preventing ARP spoofing attacks.

Example: In a network with DHCP Snooping enabled, DAI can be configured to check ARP packets against the DHCP Snooping database. If an ARP packet contains an invalid IP-to-MAC binding, it is dropped, preventing ARP spoofing attacks.

IP Source Guard

IP Source Guard is a feature that restricts IP traffic based on DHCP Snooping bindings. It ensures that only IP traffic with legitimate source IP addresses is allowed, preventing IP spoofing attacks.

Example: On a MikroTik switch, IP Source Guard can be configured to allow only IP traffic from clients with legitimate DHCP bindings. This ensures that clients cannot send traffic with spoofed IP addresses, enhancing network security.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.