DHCP snooping is a DHCP
security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also
referred to as a DHCP snooping binding table.
DHCP snooping acts like a
firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and
trusted interfaces connected to the DHCP server or another switch.
Note |
For DHCP snooping
to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
|
An untrusted DHCP message is a message that is
received through an untrusted interface. By default, the switch considers all
interfaces untrusted. So, the switch must be configured to trust some
interfaces to use DHCP Snooping. When you use DHCP snooping in a
service-provider environment, an untrusted message is sent from a device that
is not in the service-provider network, such as a customer’s switch. Messages
from unknown devices are untrusted because they can be sources of traffic
attacks.
The DHCP snooping binding
database has the MAC address, the IP address, the lease time, the binding type,
the VLAN number, and the interface information that corresponds to the local
untrusted interfaces of a switch. It does not have information regarding hosts
interconnected with a trusted interface.
In a service-provider network, an example of
an interface you might configure as trusted is one connected to a port on a
device in the same network. An example of an untrusted interface is one that is
connected to an untrusted interface in the network or to an interface on a
device that is not in the network.
When a switch receives a
packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the
DHCP client hardware address. If the addresses match (the default), the switch
forwards the packet. If the addresses do not match, the switch drops the
packet.
The switch drops a DHCP
packet when one of these situations occurs:
-
A packet from a DHCP server,
such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received
from outside the network or firewall.
-
A packet is received on an
untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
-
The switch receives a
DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP
snooping binding database, but the interface information in the binding
database does not match the interface on which the message was received.
-
A DHCP relay agent forwards a
DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the
relay agent forwards a packet that includes option-82 information to an
untrusted port.
If the switch is an aggregation switch
supporting DHCP snooping and is connected to an edge switch that is inserting
DHCP option-82 information, the switch drops packets with option-82 information
when packets are received on an untrusted interface. If DHCP snooping is
enabled and packets are received on a trusted port, the aggregation switch does
not learn the DHCP snooping bindings for connected devices and cannot build a
complete DHCP snooping binding database.
When an aggregation switch
can be connected to an edge switch through an untrusted interface and you enter
the
ip dhcp snooping information option
allow-untrusted global configuration command, the aggregation
switch accepts packets with option-82 information from the edge switch. The
aggregation switch learns the bindings for hosts connected through an untrusted
switch interface. The DHCP security features, such as dynamic ARP inspection or
IP source guard, can still be enabled on the aggregation switch while the
switch receives packets with option-82 information on untrusted input
interfaces to which hosts are connected. The port on the edge switch that
connects to the aggregation switch must be configured as a trusted interface.
Normally, it is not desirable
to broadcast packets to wireless clients. So, DHCP snooping replaces
destination broadcast MAC address (ffff.ffff.ffff) with unicast MAC address for
DHCP packets that are going from server to wireless clients. The unicast MAC
address is retrieved from CHADDR field in the DHCP payload. This processing is
applied for server to client packets such as DHCP OFFER, DHCP ACK, and DHCP
NACK messages. The
ip dhcp snooping wireless
bootp-broadcast enable can be used to revert this behavior. When
the wireless BOOTP broadcast is enabled, the broadcast DHCP packets from server
are forwarded to wireless clients without changing the destination MAC address.