i wants to know about which one is better if you wants to protect your network to keep DHCP requrest to be fullfilled by right DHCP server,
what i know about these are
Helper-address it will unicast traffic to specified unicast address
DHCP SNooping it will not allowe offer DHCP service else then trusted Port)
what other differeneces can be in between both and which one is more secure and recommend one.
They both serve two completely different functions. It's like asking which is a better food, a banana or steak.
The helper-address will forward DHCP requests on to an off-network DHCP server. So it's used to help GET an address for hosts.
DHCP Snooping on the other hand has nothing to do with whether or not a host gets an address. It merely makes sure that the client does actually request one and has the ability of setting trust levels, filtering "bad" requests and maintaining a list of valid or invalid hosts. But it specifically does not set addressing.
Kinda like the people on the side of the road who count traffic. They can count, and tell you things about traffic patterns, but they don't operate the stop lights, nor do they drive the cars!
Given your question, and building on Scott's excellent explanation above, DHCP Snooping is a protection mechanism, the helper-address is just a forwarding mechanism. With DHCP Snooping you can tell the device what port is trusted to receive DHCP OFFER messages on. All other ports - which are not trusted - would drop those frames/packets.
Just to be consistent, yourexample does not really make sense because banana and steak serve the same purpose,DHCP snooping and ip-helper do not.;P
Dear Travis n Scott,
Thanks for your Value able input, one thing still i have double can you please clear it.
suppose VLAN 10 DHCP request i used helper address to get resolve by VLAN 11 (specific IP)
if a DHCP server connected to VLAN 10 it self,
did DHCP request still goes to VLAN 11 (mentioned Helper address or get resolved by its onw VLAN connected DHCP server)
means it directly send over Helper address mentioned IP or first it check first over same VLAN
They have some similar features (both are food, much like both technical pieces above have to do with DHCP) but they are yet COMPLETELY different from each other in many other ways.
And if you were vegetarian, they most definitely would not serve the same purpose!
It there is a DHCP server locally on the VLAN, then it would get processed locally (AND forwarded if there's an ip helper as well), but the client would get the response from the first device (presumably the local one) to use.
The router doesn't know, see, or otherwise acknowledge a local DHCP server. It just sees the broadcast discovery message and forwards it on based on the instructions provided!
Excellent comparision and expaination. Thank you Travis and God Scott
Dear Scott, Many thanks for quick reply.
it means ideal senario is to be used both same time
address-helper to get right way to DHCP server for assign IP
DHCP Snooping for avoid unexpected DHCP Server to be used.
DHCP snooping is pretty awesome.
The DHCP Snooping feature is configured in order to get more securirty protecting your network from what is known as Rogue DHCP Servers. The basic concept is a malicious user that brings a unnauthorized DHCP server up to interrup the normal DHCP assignments of your network.
The "ip helper-address" command is when you have a DHCP server in a separate segment and you have to send DHCP Requests to another network, why is this necessary in this enviroment?, Because the router does not forward broadcast and the DHCP request are initially broadcasted.
Hollywood0728 i think you are wrong, DHCP Snooping is extremely awesome! just kidding
Message was edited by: Elvin Arias