DHCP Snooping
Fixed Switch Configuration Guide 26-19
into the software forwarding path, where it may be processed by the DHCP relay agent, the local
DHCP server, or forwarded as an IP packet.
DHCP snooping forwards valid DHCP client messages received on non-routing VLANs. The
message is forwarded on all trusted interfaces in the VLAN. If a DHCP relay agent or local DHCP
server co-exist with the DHCP snooping feature, DHCP client messages will be sent to the DHCP
relay agent or local DHCP server to process further.
The ports on the switch through which DHCP servers are reached must be configured as trusted
ports so that packets received from those ports will be forwarded to clients in hardware. DCHP
packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if received
on an untrusted port.
Building and Maintaining the Database
The DHCP snooping application uses DHCP messages to build and maintain the bindings
database. The bindings database includes only data for clients on untrusted ports. The bindings
database includes the following information for each entry:
• Client MAC address
• Client IP address
• Time when client's lease expires
•Client VLAN ID
•Client port
DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages.
Tentative bindings tie a client to a port (the port where the DHCP client message was received).
Tentative bindings are completed when DHCP snooping learns the client's IP address from a
DHCP ACK message on a trusted port. DHCP snooping removes bindings in response to
DECLINE, RELEASE, and NACK messages. The DHCP snooping application ignores the ACK
messages sent in reply to the DHCP Inform messages received on trusted ports. You can also
enter static bindings into the bindings database with the set dhcpsnooping binding command.
When a switch learns of new bindings or when it loses bindings, the switch immediately updates
the entries in the database.
If the absolute lease time of a snooping database entry expires, then that entry will be removed.
Care should be taken to ensure that system time is consistent across the reboots. Otherwise,
snooping entries will not expire properly. If a host sends a DHCP RELEASE message while the
switch is rebooting, when the switch receives a DHCP DISCOVERY or REQUEST message, the
client's binding will go to a tentative binding state.
Rate Limiting
To protect the switch against DHCP attacks when DHCP snooping is enabled, the snooping
application enforces a rate limit for DHCP packets received on untrusted interfaces. DHCP
snooping monitors the receive rate on each interface separately. If the receive rate exceeds a
configurable limit, DHCP snooping brings down the interface. Use the set port enable command
to re-enable the interface. Both the rate and the burst interval can be configured.
Basic Configuration
Procedure 26-6 on page 26-20 describes the commands used to configure DHCP Snooping. Refer
to the CLI Reference for your platform for command details.
To Next Page
Loading...
Need help?
General