DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

• Validates DHCP messages received from untrusted sources and filters out invalid messages.
• Rate-limits DHCP traffic from trusted and untrusted sources.
• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
• Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the RP for processing.

The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.

In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers, and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.

A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious DHCP server . A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Some examples are desktop systems and laptop systems that are loaded with DHCP server enabled, or wireless access points honoring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage. You can detect spurious DHCP servers by sending dummy DHCPDISCOVER packets out to all of the DHCP servers so that a response is sent back to the switch.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Note	For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted DHCP messages are forwarded only to trusted interfaces.

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):

• The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
• The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
• The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
• The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0. in giaddr.

To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept DHCP packets that include option-82 information. Configure the port on the edge switch that connects to the aggregation switch as a trusted port.

Note	With the DHCP option-82 on untrusted port feature enabled, use dynamic ARP inspection on the aggregation switch to protect untrusted input interfaces.

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.

The figure below is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.

When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs:

• The host (DHCP client) generates a DHCP request and broadcasts it on the network.
• When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).
• If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet.
• The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
• The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.
• The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

When the previously described sequence of events occurs, the values in these fields in the figure below do not change:

• Circuit ID suboption fields
  • Suboption type
  • Length of the suboption type
  • Circuit ID type
  • Length of the circuit ID type
• Remote ID suboption fields
  • Suboption type
  • Length of the suboption type
  • Remote ID type
  • Length of the circuit ID type

The figure below shows the packet formats for the remote ID suboption and the circuit ID suboption. The switch uses the packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option global configuration command is entered. For the circuit ID suboption, the module field is the slot number of the module.

Figure 2. Suboption Packet Formats

To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well.

The database agent stores the bindings in a file at a configured location. Upon reload, the switch reads the file to build the database for the bindings. The switch keeps the file current by writing to the file as the database changes.

The format of the file that contains the bindings is as follows:

<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END

Each entry in the file is tagged with a checksum that is used to validate the entries whenever the file is read. The <initial-checksum> entry on the first line helps distinguish entries associated with the latest write from entries that are associated with a previous write.

This is a sample bindings file:

3ebe1518
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
1.1.1.1 512 0001.0001.0005 3EBE2881 Gi1/1                                e5e1e733
1.1.1.1 512 0001.0001.0002 3EBE2881 Gi1/1                                4b3486ec
1.1.1.1 1536 0001.0001.0004 3EBE2881 Gi1/1                               f0e02872
1.1.1.1 1024 0001.0001.0003 3EBE2881 Gi1/1                               ac41adf9
1.1.1.1 1 0001.0001.0001 3EBE2881 Gi1/1                                  34b3273e
END

Each entry holds an IP address, VLAN, MAC address, lease time (in hex), and the interface associated with a binding. At the end of each entry is a checksum that is based on all the bytes from the start of the file through all the bytes associated with the entry. Each entry consists of 72 bytes of data, followed by a space, followed by a checksum.

Upon bootup, when the calculated checksum equals the stored checksum, the switch reads entries from the file and adds the bindings to the DHCP snooping database. If the calculated checksum does not equal the stored checksum, the entry read from the file is ignored and so are all the entries following the failed entry. The switch also ignores all those entries from the file whose lease time has expired. (This is possible because the lease time might indicate an expired time.) An entry from the file is also ignored if the interface referred to in the entry no longer exists on the system, or if it is a device port or a DHCP snooping-trusted interface.

When the switch learns of new bindings or when it loses some bindings, the switch writes the modified set of entries from the snooping database to the file. The writes are performed with a configurable delay to batch as many changes as possible before the actual write happens. Associated with each transfer is a timeout after which a transfer is aborted if it is not completed. These timers are referred to as the write delay and abort timeout.

The DHCP snooping host tracking feature implements a cache to learn VLAN and MAC addresses to port the mapping of clients from snooped DHCP request packets and uses this information to forward snooped DHCP reply packets.

This feature improves DHCP snooping packet processing performance for DHCP reply packets by not needing to lookup the hardware VLAN and MAC address table in order to determine the port on which to send the DHCP reply packets. This feature is useful in deployments where it is not possible to use the DHCP snooping information option along with DHCP (for example, when the server does not support DHCP information option). If DHCP is configured it takes hugher precedence than the DHCP snooping host tracking feature in determining the port on which to forward reply packets.

The DHCP snooping host tracking feature is off by default (see Enabling DHCP Snooping Host Tracking).

Note	Configure this command as the last configuration step (or enable the DHCP feature during a scheduled maintenance period) because after you enable DHCP snooping globally, the switch drops DHCP requests until you configure the ports.

To enable DHCP snooping globally, complete the following steps:

1.    enable


2.    configure terminal


3.    ip dhcp snooping


4.    do show ip dhcp snooping


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping

Switch(config)# do show ip dhcp snooping

Switch(config)# exit

This example shows how to enable DHCP snooping globally:

Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# ip dhcp snooping 
Switch(config)# do show ip dhcp snooping 
Switch DHCP snooping is enabled
Switch(config)#

Note	When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all ARP entries in the ARP table are checked against a nonexistent DHCP database. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets

1.    enable


2.    configure terminal


3.    ip dhcp snooping information option


4.    do show ip dhcp snooping | include 82


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping information option

Switch(config)# do show ip dhcp snooping | include 82

Switch(config)# exit

Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# no ip dhcp snooping information option 
Switch(config)# do show ip dhcp snooping | include 82 
Insertion of option 82 is disabled
Switch(config)#

Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# ip dhcp snooping information option 
Switch(config)# do show ip dhcp snooping | include 82 
Insertion of option 82 is enabled
Switch(config)#

Before You Begin

Note

With the DHCP option-82 on untrusted port feature enabled, the switch does not drop DHCP packets that include option-82 information that are received on untrusted ports. Do not use the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which any untrusted devices are connected.

1.    enable


2.    configure terminal


3.    ip dhcp snooping information option allow-untrusted


4.    do show ip dhcp snooping


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping information option allow-untrusted Or Switch(config-if)# ip dhcp snooping information option allow-untrusted

Switch(config)# do show ip dhcp snooping

Switch(config)# exit

Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# ip dhcp snooping information option allow-untrusted 
Switch(config)#

1.    enable


2.    configure terminal


3.    ip dhcp snooping track host


4.    clear ip dhcp snooping track host


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping track host

Switch(config)# clear ip dhcp snooping track host

Switch(config)# exit

Switch# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# no ip dhcp snooping information option 
Switch(config)# ip dhcp snooping track host
Switch(config)# exit

Switch# show ip dhcp snooping track host

VLAN   interface     mac           time left
 ----------------------------------------------
 203     Gi3/47      000a.cb00.126d     expired
 204     Gi11/47     000a.cc00.1262     expired
 202     Gi2/47      000a.ca00.125d     expired
 204     Gi11/47     000a.cc00.1263     expired
 203     Gi3/47      000a.cb00.1276     expired
 201     Gi1/47      000a.c900.1273     expired

1.    enable


2.    configure terminal


3.    ip dhcp snooping verify mac-address


4.    do show ip dhcp snooping | include hwaddr


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping verify mac-address

Switch(config)# do show ip dhcp snooping | include hwaddr

Switch(config)# exit

Switch(config)# no ip dhcp snooping verify mac-address 
Switch(config)# do show ip dhcp snooping | include hwaddr 
Verification of hwaddr field is disabled
Switch(config)#

Switch(config)# ip dhcp snooping verify mac-address 
Switch(config)# do show ip dhcp snooping | include hwaddr 
Verification of hwaddr field is enabled
Switch(config)#

1.    enable


2.    configure terminal


3.    ip dhcp snooping bridge-domain {{bridge-domain_ID [bridge-domain_ID]} | {bridge-domain_range}

4.    do show ip dhcp snooping


5.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping bridge-domain 1 or
Switch(config)# ip dhcp snooping bridge-domain 1-10,40-50,61

Switch(config)# do show ip dhcp snooping

Switch(config)# exit

Switch# configure terminal 
Switch(config)# ip dhcp snooping bridge-domain 10 12

Switch# configure terminal
Switch(config)# ip dhcp snooping bridge-domain 10-12 

Switch# configure terminal
Switch(config)# ip dhcp snooping bridge-domain 10,11,12 

Switch# configure terminal
Switch(config)# ip dhcp snooping bridge-domain 10-12,15 

Switch(config)# do show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following bridge-domains:
10-12,15
DHCP snooping is operational on following bridge-domains:
none
DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
Switch# 

1.    enable


2.    configure terminal


3.    interface {type slot/port | port-channel number}

4.    ip dhcp snooping trust


5.    do show ip dhcp snooping | begin pps


6.    end

Switch> enable

Switch# configure terminal

Switch(config)# interface port-channel 1 or
Switch(config)# interface GigabitEthernet 0/1  

Switch(config-if)# ip dhcp snooping trust 

Switch(config-if)# do show ip dhcp snooping | begin pps

Switch(config-if)# end

Switch# configure terminal 
Switch(config)# interface FastEthernet5/12 
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# do show ip dhcp snooping | begin pps

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet5/12             yes         unlimited
Switch# 

Switch# configure terminal 
Switch(config)# interface FastEthernet 5/12
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# do show ip dhcp snooping | begin pps

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet5/12             no          unlimited
Switch# 

1.    enable


2.    configure terminal


3.    interface {type slot/port | port-channel number}

4.    ip dhcp snooping limit rate rate


5.    do show ip dhcp snooping | begin pps


6.    end

Switch> enable

Switch# configure terminal

Switch(config)# interface port-channel 1 or
Switch(config)# interface GigabitEthernet 0/1

Switch(config-if)# ip dhcp snooping limit rate 10

Switch(config-if)# do show ip dhcp snooping | begin pps

Switch(config-if)# end

When configuring DHCP snooping rate limiting on a Layer 2 LAN interface, note the following information:

• We recommend an untrusted rate limit of not more than 100 packets per second (pps).
• If you configure rate limiting for trusted interfaces, you might need to increase the rate limit on trunk ports carrying more than one VLAN on which DHCP snooping is enabled.
• When you configure rate limit as 1 pps, the interface immediately goes to error disable state on receiving a DHCP packet.
• DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state.

This example shows how to configure DHCP packet rate limiting to 100 pps on Fast Ethernet port 5/12:

Switch# configure terminal 
Switch(config)# interface FastEthernet 5/12 
Switch(config-if)# ip dhcp snooping limit rate 100 
Switch(config-if)# do show ip dhcp snooping | begin pps 
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet5/12             no          100 
Switch# 

To configure the DHCP snooping database agent, complete one or more of the following steps:

Note	The URL in the following task indicates either TFTP:filename or SD flash:filename.

1.    enable


2.    configure terminal


3.    ip dhcp snooping database { _url | write-delay seconds | timeout seconds }

4.    clear ip dhcp snooping database statistics


5.    renew ip dhcp snooping database [validation none] [url]

6.    ip dhcp snooping binding mac address bridge-domain <bridge-domain_id> ip_address interface <ifname> efp_id <efp-id> expiry <sec>

7.    exit

Switch> enable

Switch# configure terminal

Switch(config)# ip dhcp snooping database tftp://202.153.144.25//auto/tftp-abc-user1/name/DHCP_Database/name_database_xyz
Switch(config)# ip dhcp snooping database timeout 10
Switch(config)# ip dhcp snooping database write-delay 30

Switch(config)# clear ip dhcp snooping database statistics

Switch(config)# renew ip dhcp snooping database validation none tftp://202.153.144.25//auto/tftp-abc-user1/name/DHCP_Database/name_database_xyz

Switch(config)# ip dhcp snooping binding 0000.1111.2222 bridge-domain 1 1.1.1.1 int gi0 efp_id 1 expiry 100

Switch(config)# exit

Switch# show ip dhcp snooping database [detail]

Agent URL : tftp://202.153.144.25//auto/tftp-abc-user1/name/DHCP_Database/name_database_xyz
Write delay Timer : 30 seconds
Abort Timer : 10 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : 23:40:32 IST Sat Sep 11 1993
Last Failed Reason : Expected more data on read.

Total Attempts       :        1   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        1
Successful Reads     :        0   Failed Reads     :        1
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

First successful access: Read

Last ignored bindings counters :
Binding Collisions    :        0   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0
Last Ignored Time : None

Total ignored bindings counters:
Binding Collisions    :        0   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0

1.    enable


2.    show ip dhcp snooping database


3.    renew ip dhcp snoop data url


4.    show ip dhcp snoop data


5.    show ip dhcp snoop bind

Switch> enable

Switch# show ip dhcp snooping database

Switch# renew ip dhcp snooping database validation none tftp://202.153.144.25//auto/tftp-abc-user1/name/DHCP_Database/name_database_xyz

Switch# show ip dhcp snoop data

Switch# show ip dhcp snoop bind

Switch# show ip dhcp snooping database

Agent URL : 
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0
Switch# renew ip dhcp snoop data tftp://10.1.1.1/directory/file 
Loading directory/file from 10.1.1.1 (via GigabitEthernet1/1): !
[OK - 457 bytes]
Database downloaded successfully.

Switch#
00:01:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Read succeeded.

Switch# show ip dhcp snoop data

Agent URL : 
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeeded Time : 15:24:34 UTC Sun Jul 8 2001
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        1   Startup Failures :        0
Successful Transfers :        1   Failed Transfers :        0
Successful Reads     :        1   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0
Switch#

Switch# show ip dhcp snoop bind

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:01:00:01:00:05   1.1.1.1          49810       dhcp-snooping  512   GigabitEthernet1/1
00:01:00:01:00:02   1.1.1.1          49810       dhcp-snooping  512   GigabitEthernet1/1
00:01:00:01:00:04   1.1.1.1          49810       dhcp-snooping  1536  GigabitEthernet1/1
00:01:00:01:00:03   1.1.1.1          49810       dhcp-snooping  1024  GigabitEthernet1/1
00:01:00:01:00:01   1.1.1.1          49810       dhcp-snooping  1     GigabitEthernet1/1
Switch# clear ip dhcp snoop bind 
Switch# show ip dhcp snoop bind   
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Switch#

1.    enable


2.    show ip dhcp snooping binding


3.    ip dhcp snooping binding binding_id bridge-domain bridge-domain_id interface interface efp_idexpiry lease_time


4.    show ip dhcp snooping binding

Switch> enable

Switch# show ip dhcp snooping binding

Switch# ip dhcp snoop bin 0000.1111.2222 bridge-domain 1 1.1.1.1 int gi0/1 efp_id 10 expiry 100

Switch# show ip dhcp snooping binding

Switch# show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           Bridge Domain  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Switch#

Switch# ip dhcp snooping binding 1.1.1 bridge-domain 1 1.1.1.1 interface gi1/1 expiry 1000

Switch# show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           Bridge Domain  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:01:00:01:00:01   1.1.1.1          992         dhcp-snooping  1     GigabitEthernet1/1
Switch#