DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building
and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between
untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
Note |
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
|
An untrusted DHCP message is a message that is received through an untrusted interface. By default, the switch considers all
interfaces untrusted. So, the switch must be configured to trust some interfaces to use DHCP Snooping. When you use DHCP snooping
in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network,
such as a customer’s switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number,
and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information
regarding hosts interconnected with a trusted interface.
In a service-provider network, an example of an interface you might configure as trusted is one connected to a port on a device
in the same network. An example of an untrusted interface is one that is connected to an untrusted interface in the network
or to an interface on a device that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled,
the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the
switch forwards the packet. If the addresses do not match, the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:
-
A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the
network or firewall.
-
A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
-
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database,
but the interface information in the binding database does not match the interface on which the message was received.
-
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards
a packet that includes option-82 information to an untrusted port.
-
The maximum snooping queue size of 1000 is exceeded when DHCP snooping is enabled.
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP
option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface.
If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping
bindings for connected devices and cannot build a complete DHCP snooping binding database.
When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The
aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features,
such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives
packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch
that connects to the aggregation switch must be configured as a trusted interface.
Normally, it is not desirable to broadcast packets to wireless clients. So, DHCP snooping replaces destination broadcast MAC
address (ffff.ffff.ffff) with unicast MAC address for DHCP packets that are going from server to wireless clients. The unicast
MAC address is retrieved from CHADDR field in the DHCP payload. This processing is applied for server to client packets such
as DHCP OFFER, DHCP ACK, and DHCP NACK messages. The ip dhcp snooping wireless bootp-broadcast enable can be used to revert this behavior. When the wireless BOOTP broadcast is enabled, the broadcast DHCP packets from server
are forwarded to wireless clients without changing the destination MAC address.