DHCP snooping is managed on the active switch. When you connect a new switch to the stack, it receives the DHCP snooping configuration. When a member leaves the stack, all DHCP snooping address bindings associated with the switch expires.

All snooping statistics are generated on the active switch. If a new active switch is elected, the statistics counters reset.

During a stack merge, if the switch is no more active, all DHCP snooping bindings are lost. In a stack partition, the active switch remains unchanged and the bindings belonging to partitioned switches expire. The new active switch of the partitioned stack begins processing the new incoming DHCP packets.

A DHCP snooping binding database is a record system that

• stores information about untrusted interfaces when DHCP snooping is enabled,

• supports up to 4,000 bindings, and

• uses a checksum to verify entries for data integrity.

Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location. At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry. Each entry is 77 bytes, followed by a space, a checksum value, and the EOL symbol.

Use the DHCP snooping database agent to retain bindings when the switch reloads. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks.

When the switch reloads, it reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes.

When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The switch uses the DHCP snooping binding database to store information about untrusted interfaces when DHCP snooping is enabled. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.

<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END

3ebe1518
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
10.1.1.1 512 001.0001.0005 3EBE2881 Gi1/1                                e5e1e733
10.1.1.1 512 001.0001.0002 3EBE2881 Gi1/1                                4b3486ec
10.1.1.1 1536 001.0001.0004 3EBE2881 Gi1/1                               f0e02872
10.1.1.1 1024 001.0001.0003 3EBE2881 Gi1/1                               ac41adf9
10.1.1.1 1 001.0001.0001 3EBE2881 Gi1/1                                  34b3273e
END

DHCP gleaning is a read-only DHCP snooping functionality that:

• extracts location information from DHCP messages,

• differentiates an untrusted device port connected to an end user from a trusted port connected to a DHCP server, and

• registers and gleans only DHCP version 4 packets.

Gleaning helps extract location information from DHCP messages when messages are forwarded by a DHCP relay agent. The process does not block or modify DHCP packets, making it passive. DHCP gleaning is supported only on Layer 2 ports. By default, gleaning is disabled, though enabling a device sensor automatically activates it. It functions on all active interfaces where DHCP snooping is deactivated. For private VLAN interaction, ensure gleaning is active on the secondary VLAN, even if snooping is disabled on the primary VLAN.

Note	On Cisco C9350 Series Smart Switches, private VLAN destination lookup forwarding is based on the primary VLAN.

A trusted source is an entity or component that is considered reliable for network communications, provides authenticated data transmissions, and is verified to be part of the network infrastructure.

An untrusted DHCP message is a message that is received through an untrusted interface. By default, the switch considers all interfaces untrusted. So, the switch must be configured to trust some interfaces to use DHCP Snooping. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer’s switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.

In a service-provider network, an example of an interface you might configure as trusted is one connected to a port on a device in the same network. An example of an untrusted interface is one that is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

The switch drops a DHCP packet when one of these situations occurs:

• A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.

• A packet that is received on an untrusted interface, has a source MAC address and a DHCP client hardware address that do not match.

• The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.

• A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

• DHCP snooping exceeds the queue size limit of 1000.

When an aggregation switch with DHCP snooping connects to an edge switch inserting DHCP option-82, packets with option-82 are dropped if received on an untrusted interface. If DHCP Snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as Dynamic ARP Inspection or IP Source Guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.