DHCPv4 snooping mitigates the security risks posed by denial-of-service from rogue DHCP servers, which disrupt networks as they compete with legitimate DHCP servers that configure hosts on the network for communication.
DHCPv4 snooping uses trusted ports that have been identified as having legitimate DHCP servers attached. As clients communicate on the network, the device builds a binding database, which contains the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. The network device then filters DHCP server messages from untrusted ports to protect the integrity of legitimate DHCP servers and their operation.
Other security features, such as dynamic ARP inspection and IP source guard, also use information in the binding database. For more information, see Dynamic ARP Inspection and DHCP Snooping and IP Source Guard and DHCP Snooping.
Because the DHCP snooping feature is implemented in the SLX-OS software, all DHCP messages for enabled VLANs are intercepted in the hardware and directed to the software for processing.
In a service provider or enterprise network, devices under administrative control are trusted devices. These devices include the switches, routers, and servers in the network. Any device outside the network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.
In SLX-OS, you indicate that a source is trusted by configuring the connected interface as trusted. By default, all interfaces are untrusted. All DHCP client-connected interfaces remain untrusted and DHCP server-connected interfaces are configured as trusted interfaces. Because DHCP client requests are forwarded only to trusted interfaces, a DHCP snooping-enabled VLAN must have at least one trusted member interface through which a trusted DHCP server is reachable.
The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
The DHCP snooping feature updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives an acknowledgment message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a release message from the host. You can also use the ip dhcp snooping binding command to add a static binding entry to the database.
Binding entries are stored into a persistent File System (FS) to rebuild the database when the system reboots. If the system reboots because of software failure, administrative maintenance, or power outage, the device maintains the entries because hosts may not renegotiate DHCP transactions to rebuild the binding entries. The host traffic should be forwarded based on the learned binding entries before the reboot.
Entries are periodically flushed from or written to the FS on a non-configurable interval of 5 minutes to reduce system load. Binding entries learned between the last write to FS and a reboot are lost. The binding database is stored on the device's flash memory and is not transferred to any remote server.
When DHCP snooping Option-82 is enabled, the device inserts the circuit-id (incoming interface ID and its description) and the remote-id (VLAN and MAC address of the incoming interface) into DHCP request packets before forwarding them to the DHCP server. When a device receives a DHCP response from the server, it verifies that it originally inserted the Option-82 data by inspecting the remote ID and the circuit ID fields. The device removes the Option-82 field and forwards the packet to the client. If the incoming DHCP request packet already has Option-82 then the packet is not modified. Such packets are either dropped or forwarded as-is based on the “Option-82 allow untrusted” feature state.
By default, the device drops DHCP packets that include Option-82 that are received on an untrusted port of a DHCP snooping-enabled VLAN. In some topologies, where an edge device inserts Option-82 to better identify subscriber network and DHCP snooping is enabled on an aggregate device, you may want DHCP packets that include Option-82 to be allowed on an untrusted port. In such cases, you can enable the DHCP snooping "Option-82 allow untrusted" feature on the untrusted interface that connects to the known edge switch.