DHCPv4 Snooping

DHCPv4 snooping mitigates the security risks posed by denial-of-service from rogue DHCP servers, which disrupt networks as they compete with legitimate DHCP servers that configure hosts on the network for communication.

Snooping overview

DHCPv4 snooping uses trusted ports that have been identified as having legitimate DHCP servers attached. As clients communicate on the network, the device builds a binding database, which contains the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. The network device then filters DHCP server messages from untrusted ports to protect the integrity of legitimate DHCP servers and their operation.

DHCPv4 snooping performs the following activities:
  • Validates DHCP messages received from untrusted sources and filters out invalid messages
  • Forwards the DHCP request messages from untrusted hosts to configured trusted ports in that VLAN
  • Inserts (or removes) Option-82 to the DHCP packets
  • Rate-limits DHCP traffic from trusted and untrusted sources
  • Builds and maintains the DHCP snooping binding database
  • Uses the binding database to validate subsequent requests from untrusted hosts

Other security features, such as dynamic ARP inspection and IP source guard, also use information in the binding database. For more information, see Dynamic ARP Inspection and DHCP Snooping and IP Source Guard and DHCP Snooping.

Because the DHCP snooping feature is implemented in the SLX-OS software, all DHCP messages for enabled VLANs are intercepted in the hardware and directed to the software for processing.

Trusted and untrusted sources

In a service provider or enterprise network, devices under administrative control are trusted devices. These devices include the switches, routers, and servers in the network. Any device outside the network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.

In SLX-OS, you indicate that a source is trusted by configuring the connected interface as trusted. By default, all interfaces are untrusted. All DHCP client-connected interfaces remain untrusted and DHCP server-connected interfaces are configured as trusted interfaces. Because DHCP client requests are forwarded only to trusted interfaces, a DHCP snooping-enabled VLAN must have at least one trusted member interface through which a trusted DHCP server is reachable.

Binding database

The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

The DHCP snooping feature updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives an acknowledgment message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a release message from the host. You can also use the ip dhcp snooping binding command to add a static binding entry to the database.

Maintenance of database entries is based on these rules:
  • An entry is not updated with a host moves to another interface (MAC move).
  • Interface admin down or link down does not remove the binding entries for that interface.
  • When DHCP snooping is disabled on a VLAN, entries for that VLAN are removed.
  • If the database is full, DHCP snooping continues to forward packets but new binding entries are not created.
  • Static binding entries are based on the values that the admin configured. The MAC, IP, and VLAN ID are validated only for format and range.

Binding entries are stored into a persistent File System (FS) to rebuild the database when the system reboots. If the system reboots because of software failure, administrative maintenance, or power outage, the device maintains the entries because hosts may not renegotiate DHCP transactions to rebuild the binding entries. The host traffic should be forwarded based on the learned binding entries before the reboot.

Entries are periodically flushed from or written to the FS on a non-configurable interval of 5 minutes to reduce system load. Binding entries learned between the last write to FS and a reboot are lost. The binding database is stored on the device's flash memory and is not transferred to any remote server.

Option-82

When DHCP snooping Option-82 is enabled, the device inserts the circuit-id (incoming interface ID and its description) and the remote-id (VLAN and MAC address of the incoming interface) into DHCP request packets before forwarding them to the DHCP server. When a device receives a DHCP response from the server, it verifies that it originally inserted the Option-82 data by inspecting the remote ID and the circuit ID fields. The device removes the Option-82 field and forwards the packet to the client. If the incoming DHCP request packet already has Option-82 then the packet is not modified. Such packets are either dropped or forwarded as-is based on the “Option-82 allow untrusted” feature state.

By default, the device drops DHCP packets that include Option-82 that are received on an untrusted port of a DHCP snooping-enabled VLAN. In some topologies, where an edge device inserts Option-82 to better identify subscriber network and DHCP snooping is enabled on an aggregate device, you may want DHCP packets that include Option-82 to be allowed on an untrusted port. In such cases, you can enable the DHCP snooping "Option-82 allow untrusted" feature on the untrusted interface that connects to the known edge switch.

Packet validation

When DHCP snooping is enabled, the device validates DHCP packets received on the untrusted interfaces of VLANs. The device forwards the packets unless any of the following conditions occur (in which case the packet is dropped):
  • The device receives DHCP response packets on an untrusted interface. These are packets from a DHCP server outside of the trusted network.
  • The device receives a release or decline message from an untrusted host with an entry in the binding database. The interface information in the database does not match the interface on which the message was received.
  • The device receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
  • The device receives a DHCP packet that includes Option-82 and the “Option-82 allow untrusted” feature is not enabled.
  • The device receives a DHCP request packet and the incoming VLAN has no trusted port member.