When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces.
The database can have up to 64,000 bindings.
Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface
to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file
at a configured location. At the end of each entry is a checksum that accounts for all the bytes from the start of the file
through all the bytes associated with the entry. Each entry is 72 bytes, followed by a space and then the checksum value.
To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic
ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses
its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but
DHCP snooping might not prevent DHCP spoofing attacks.
When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file
when the database changes.
When a switch learns of new bindings or when it loses
bindings, the switch immediately updates the entries in the database. The switch also
updates the entries in the binding file. The frequency at which the file is updated is
based on a configurable delay, and the updates are batched. If the file is not updated
in a specified time (set by the write-delay and cancel-timeout values), the update
stops.
This is the format of the file with bindings:
<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END
Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file.
The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated
with a previous file update.
This is an example of a binding file:
2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E Gi1/0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Gi1/0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Gi1/0/4 584a38f0
END
When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the
binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations
occurs:
-
The switch reads the entry and the calculated checksum value does not equal the stored checksum value. The entry and the ones
following it are ignored.
-
An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires).
-
The interface in the entry no longer exists on the system.
-
The interface is a routed interface or a DHCP snooping-trusted interface.