DHCP Snooping | Cisco CCNA 200-301
Vložit
- čas přidán 26. 11. 2019
- Free CZcams Playlists from Keith:
Master Playlist for Cisco CCNA 200-301 ogit.online/sloth
Cisco CCNA 200-301 Security ogit.online/200-301_Security
Cisco CCNA 200-301 IPv4 Subnetting ogit.online/subnet
And…
Keith’s Content at CBT Nuggets ogit.online/Keith-CBT
Igor had a question about the layer 2 MAC to DHCP payload MAC verification. (around the 30 minute mark). By default that would not happen unless we also add this command:
ip dhcp snooping verify mac-address
Thanks to Igor for bringing that to my attention. I have it on my list to re-record this video. New version will have improved audio, and shorter duration. Thanks!
Keith please the duration the same. Your style of speaking really drives home the information needed. It may seem like your rambling but in reality you are providing excellent examples. There is so many nuggets hidden in this video. It would be ashame if that information got lost.
i read odom chapter on dhcp snoop and was confused by opt 82 as well. still dont get it? option 82 is injected by dhcp snoop?
my current thinking is option 82 is injected as a way to indicate the dhcp request is a relayed request so that would happen in the switch that would forward it on to the router which would then do what should not normally happen and pass that frame across the boundary of the subnet to a dhcp server somewhere else in the network so why would the frame get rejected on its way back to the switch by the dhcp snooping logic if the inbound frame is arriving at a trusted port? still not clear on this ill keep looking for an answer until you re record this video. thanks for all the content cbt nuggets was the first of a few study materials I have been using (bombal, book, RG community)
Not sure if you guys gives a damn but if you are bored like me atm then you can watch all the new movies on InstaFlixxer. Been binge watching with my brother for the last couple of weeks :)
@Justin August Definitely, have been watching on InstaFlixxer for since december myself :)
@Justin August Definitely, have been using instaflixxer for months myself :)
I've been studying CCNA for a few months now, and I'm so happy I found your videos!!!!! I genuinely started enjoying studying now thanks to you :))) The content you are creating is truly a blessing sir.
You can do it!
Thanks for the inspiring story about the CCIE. Really made me want to get back on my CCNP track. Don't know if I'll ever get to CCIE honestly but I think I'm smart enough to get CCNP. I'm getting back on this next week. INE is so expensive though for that training. Appreciate you sharing your story and whether you meant it or not, how encouraging it was!
Thank you for all you do to help others! I've said this to you before but my buddy Zeeshan told me to view all your videos when I was learning networking and I've learned a lot over the past years because of the time you've invested into producing content for those who want to learn. Your teaching style makes it easy to understand. You don't teach like you're reading a white paper like a robot, you teach as you're talking to humans and make the technologies relatable.
Thank You So Much!
Dear Mr. Keith,
Thank you from the bottom of my heart, for all the contents you are providing, and specially for the story you shared with us at the end of this video
Thank you Ahmed
For future viewers... the DHCP relevant content starts at about 10:45. DHCP Snooping relevant information starts at 17:15
The best part about Keith Barker is that he teaches you things about networking in wonderful and creative/out of the box ways AND he also inspires you.
So, thank you Keith for teaching me DHCP snooping and thank you for inspiring me on setting and aproaching goals. Thank you for helping me find my personal motivation to keep on learning.
Happy to do it, thanks for the feedback Bogdan Ionescu.
So organized! and great tools to explain the topics
Glad it was helpful!
Thank you so much for your story at the end. I am 52 and am looking to learn new skills. I've chosen to go back to school and learn information and networking. I have been learning for the past six months. It has been challenging and sometimes I want to give up because it seems so difficult. But let me tell you, that when I get a 100% on a packet tracer with no help, I feel like the smartest person in the world. But then I'm back to reality when I am working on the next packet tracer and I can only get to 68%. Talk about feeling miserable. No problem. I continue because that is what makes me me. I love the challenge of learning. Not really sure if I would take the CCNA test, but I know that I will have extra skills. Your channel is what I listen to before I read my class notes. Thank you so much for that 20% that you are offering to so many of us. It really does make a difference.
Thank you Isabel Alvarado!
Thanks for the tutorial, it was very informative and helped me understand the topic clearly and please stay on the soapbox as I found the piece at the end about your move into IT and your continual desire to improve inspiring. Thanks.
Thank you so much for sharing your story at the end of this video. Very inspiring as I just got my CWNA this past week and am going for my CCNA this September. I'm also in the middle of a interview process for a Technical Consulting Engineer which would be a dream job come true if I get it. Hearing your story adds to the motivation for me to not only get my CCNA this year, but my CCNP for other avenues as well and maybe even the CCIE!
You are so welcome!
You are also the motivational Speaker. Thanks for your free service. Now moving to 37th.
someway, somehow Keith changed my life ! thank you so much ! say thank you from VietNam.
Thank you Jim Huynh!
Thank you very much...Sir, I spend 3 days on this chapter from book and as well as Udemy but i just got perfect explanation from this video.. you are the best.. Thanks again
Excellent
Keith you give me motivation…👍🏻
stay awesome Keith!
Thank you عبدالرحمن عادل!
Dynamic ARP Inspection for me.
So a question, can dhcp snooping still apply to the switch if I dont have set up a DHCP server on my cisco router?
Because I really want to have server 2016 to give out DHCP leases,but with the added security of MITM attack?
good video on DHCP snooping subject. More videos of this kind of explanation Keith.
Thank you for the vote, and the question. Yes, the DHCP snooping feature can be used regardless of which vendor or platform is being used for the actual DHCP server itself. Thank you for your comments!
Switchport security please, great stream Keith, looking forward to the next one 👍
Thank you for the suggestion Kevin! Glad you are here. I will keep that one in the queue!
Great life story Keith👍
Thank you zoltron30!
Thank you very much for the video. It has helped me. I only have one question ... how often is the DHCP allocation table updated on the switch? I have configured it and when I move the computer to another switch the mapping still appears on the previous switch. Thank you
Thank you for the question Alberto. I don't know how long that information stays. I would have to look it up! If you find the answer, please let me know, and happy studies.
thanks for the video, very helpful!
You're welcome!
Great Videos, really happy to find some info on some of the newly added CCNA topics. I looked around for some more Option 82 configuration info and found one source presenting it as CCIE material. I was able to get a feel for what it does and how it does it in general, but my question is, for CCNA level studies, is it accurate to say we only need to know how to disable in it in the switch ip dhcp snooping configuration, and maybe some concepts of what it is? Thank you
Thank you for the question Morgan. In the CCNA blueprint from Cisco in section 4 the goals include:
Explain DHCP
Configure DHCP client and relay
Section 5 includes:
Configure DHCP Snooping
So as far as DHCP option 82, knowing how to disable it is both a good thing to know, but also likely above the CCNA level. If you know how to do it, and also know a little about option 82, you are covered either way.
Thanks again, and happy studies.
Keith, I wish I had seen the video when you first published it. Excellent. my question is when the dhcp server is a virtual server with vmware on vlan 10 and it is connected to the L3 switch via a port-channel defined as trunk ports. there are several vlans on this trunk port as there are servers that are on different vlans. Only 1 dhcp server. do I add the 2 physical ports in the port-channel as trusted and dhcp snooping still work on the ip dhcp snooping vlan command even if they are coming across the trunk port?
Thank you Scott Strudwick. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Scott Strudwick!
I have got a question. I appreciate your time effort put into these videos.
Can you make etherchannel as trusted ports with dhcp snooping ?
Hi Keith,
My question here is:
do we need to individually configure each access switch for 'dhcp snooping' for given vlans or can we configure a policy to be pushed out to all access switches, this also applies to other general configuration settings for switches e.g. ntp servers (global settings) that can be applied as a policy and pushed out, it would be great to have a feature on a L3 switch to configure policies centrally from Core; and then push out these policies to access switches, or is this type of 'policy configuration' with multiple generic settings part of automation (python)?
Thanks 🤔
One more thing, i have my own cisco & hypervisor lab, where can i get cisco practice lab scenarios to download / configure / troubleshoot ?
Thanks Again.
Yes, there are ways to automate the collection and pushing of information to network devices that include the use of scripts.
Check out DataKnox for more specifics: czcams.com/channels/i7SD3zfCjkiDWvSFthIQSg.html
Regarding labs, what emulator are you using? That will drive many of the questions regarding sources for practice labs.
What is the RFC for DHCP Snooping? And did you ever teach at Cisco in Mountain View CA in the early to mid 90's?
Thank you for the question Glen. I don't recall teaching at Cisco in the mid 90's. RFC 2131 is about DHCP itself, but the snooping part is a security measure, not really a standard. Thanks for watching, and for the questions.
keith i want to buy a palo alto FW,which one you showed us in the video.licenses are included in the firewall or not.is the FW PA200, you have
I have a PA200, I purchased it from a Palo Alto authorized partner, and along with the firewall I purchased a 1 year license. To renew that license, it also requires going through a Palo Alto partner. At the moment, I don't have an active license, and that is the partial reason the firewall isn't being currently used at my home office.
At about 16:30, regarding your MiM scenario, I don't get how one could get on a network, and just declare 'now I'm the default gateway'. Would you just put your interface address into your DHCP config as default-router, or maybe make a /32 at the end of the primary network address space that directly connects you to the real DG, but places you as a DG downstream from the real DG 🤔 (that probably wouldn't work on account of it creating a network different from the one all the clients are on, I think).
I'm just really curious what this would look like. Thanks for great instruction, Keith.
Thank you Scott Sparling. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Scott Sparling!
Great as always Keith!
I would like a stream about DAI, thank you!
Thank you for the comments! Glad you are here. DAI it is, on Dec 4th.
@@KeithBarker Hey Keith, I have some question but it's not about dhcp snooping :)
My question is, If someone ask me about this IP address 191.71.38.9/24 What kinda class this IP have?
- is this a class B IP? since its started with 191.X.X.X
- or this is a class C IP, because it has a /24 prefix
I hope you can help me.
Thank you.
@@ferrypratama6627 191 is a public IP address not private, and with that it is the range of 128.1.0.1 to 191.255.255.254 is considered a class B which would be a /16 prefix handed out from the ISP, which you can further subnet to fit your needs.
@@knight024 thank you my friend
Are those CHERRY MX BLUE I hear? What keyboard is that?
Show ip int brief on R-3 had some entries that seemed odd to me, and left me wondering. 1) why does g0/1 have subinterfaces when only 1 device is attached to the switch, and 2) both subinterfaces are on g0/1, but g0/1 itself has an IP address, I always believed the interface hosting the subinterfaces could NOT have an address of its own ? Thanks
Thank you for the question Scott Sparling.
Fort the sub-interfaces, they each support a specific VLAN, based on the 802.1Q tags.
Fort data-plane traffic that doesn't include an 802.1Q tag, (such as VLAN 1 if that is the native VLAN), that traffic is processed by the physical interface (presuming it has an IP address configured on that physical interface). Think of the physical interface as handline the untagged VLAN 1 traffic (if using the defaults).
Hi Keith, it may be too late to ask but I'm struggling to understand why option 82 would cause an issue. Ive tried googling it but I cant find any information. Would you be able to explain in more detail what issue could be caused?
Thank you Danny. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Danny!
The Option 82 portion is a little confusing. If we turn off Option 82 then how will the clients, that need their Discover message relayed, get their DHCP IP address? Won't turning off Option 82 kill their request?
Thanks for the question. Option 82 isn't always needed for DHCP relay to work. blog.ine.com/2009/07/22/understanding-dhcp-option-82
Hi Keith,
I don`t understand, on 31min, why is blocking port for client 5 (discover msg)?
Thank you for the question Igor Guljaš. With DHCP snooping, one of the extra benefits is that if the client is lying about its layer 2 address (meaning it is different in the DHCP payload, vs what is in the layer 2 header as part of the Discover DHCP message) the port will drop the packet.
Here is more detail, in the section called "Packet Validation"
www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html#wp1101946
Upon closer reading, for that check to be used the configuration would need to include:
ip dhcp snooping verify mac-address
In my config, starting with the defaults, it would not have had that, so I was premature in saying that. I add to my list a redo of that video, and when I do it will be with better audio, and shorter! Thank you for your great question and insight.
Thanks, and happy studies!!!
I LOVE the faux brick wall, Im super curious about it..
Thank you Marzella. Amazon, Art3d White Wall Panels Brick Design 3D Wall Panels, White, 12 Tiles 32 Sq Ft
Cheers!
I set this up and port fa0/2 is trusted but I was still able to run Yersinia on port fa0/3 and drain by dhcp pool. Does port security have to be setup as well on fa0/3?
Thank you for the question zoltron30. DHCP snooping can do rate-limiting, but you would also want to implement port security as well.
Is it possible to set a port-channel interface as trusted for DHCP Snooping? In my lab I have my access switch connected to my multi-layer via etherchannel. When I go into the port channel interface there are no IP options available. I tried setting the individual interfaces that make up the port channel as trusted for snooping, but that doesn't seem to be working. Not sure if I'm doing something wrong or if its a limitation of packet tracer.
Thank you for the question. I don't think Packet Tracer is fully "baked" and ready for all the DHCP snooping functions.
@@KeithBarker OK I figured that was the case. Thanks!
Hi Keith what is the difference between a dhcp trusted port and an arp trusted port?
Thank you for the question Bob_Om.
If DHCP snooping is enabled on a VLAN, a trusted port allows DHCP server related messages in on that port.
If Dynamic ARP Inspection is enabled on a VLAN, a trusted port doesn't bother checking for a match (from a static entry or learned from the snooping binding table), regarding ARP messages that come in on that port.
That normal distribution shirt give me ptsd. For my statistics class.
Awesome lecture!
Thank you for the comments! Glad you are here.
The book keith is talking about around the hour mark is automate the boring stuff with python. It's written by Al Sweigart. I highly recommend it.
Thank you Zac Ay!
Hi Keith, If there is
interface vlan 10
IP helper-address 192.168.10.5
will DHCP request only go to broadcast
Where is the pratical of this lab would you like to tell me please ?
How does switch knows that it (incoming frame) is a DHCP offer message?
Thank you for the question Chaitanya Pr.
The switch, with the DHCP Snooping feature, is taking a look (higher than just layer 2) at the packets and payloads regarding DHCP.
On an untrusted port the switch will drop the packet/frame it it sees an incoming:
DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY (messages that could be sent by the DHCP server).
Hope that helps, and happy studies.
Thank you
Access lists please. Both standard and extended.
Thank you for the vote, I will keep that one in the queue and we will get to it!
What is the song at the start of the video?
Thank you for the question Robb. I cycle through a few of those, from epidemicsound.com, and I don't recall that name for that specific song.
Thanks for watching!
Keith Barker thanks for the amazing videos. You inspired me and helped me get my CCNA two years ago. Now I want to go for the new style CCNP.
Dynamic ARP Inspection next week. As always Keith, thanks a lot.
Thank you Samuel Chege! Glad you are here.
option 82 and ARP Inspection please
Thank you for the vote and comments. DAI is on the agenda for Dec 4. Thanks again.
Tell us more about option 82
Here is a good article about it...
slaptijack.com/networking/what-is-dhcp-option-82/
Hey Keith my DHCP server keeps getting "Bad address" for some Ip addresses and this happens randomly.
Check the scope for the pool addresses being handed out. If for a local network make sure the mask on the interface is the same length of mask for the addresses being handed out.
what is dhcp option 82...????
blog.ine.com/2009/07/22/understanding-dhcp-option-82
46:25 ow ow!
Love the content! Thank you!
Video starts at 8:00
Thank you Kos115
D Arp please
Thank you for the vote. That is the majority vote (DAI) so that is what we will do on Dec 4th. Thanks and see you then!
@@KeithBarker thanks Keith. Look forward to it. Love your work 👍
(DAI) please.
Thank you for the vote, and you got it! Dec 4 we will cover DAI. Thanks again.
8:00 start
[1:10:15] DORA broadcast or unicast
Depends on the initial discover message. If the broadcast bit is on, then all 4 packets on the local network between client and dhcp server will be broadcast.
ACL
Thanks Mike. Will keep that one in the queue.