DHCP Snooping
DHCP Snooping
1. Function Overview
The DHCP snooping function monitors DHCP messages exchanged between the DHCP server and clients to filter out any invalid DHCP messages.
Using the function can be expected to improve security in the following ways.
-
Deters assignment of IP addresses from invalid DHCP servers.
-
Deters releasing IP addresses from invalid DHCP clients or detecting multiple IP addresses.
-
Deters spoofed MAC addresses.
-
Deters spoofed Option 82 actions.
2. Definition of Terms Used
Trusted port
Ports for which DHCP message filtering by DHCP snooping is disabled. It connects to a trusted DHCP server.
Untrusted port
Ports for which DHCP message filtering by DHCP snooping is enabled. It connects to DHCP clients.
IfIndex
Interface ID number. For IfIndex allocation, refer to Basic Interface Functions.
3. Function Details
3.1. Enabling DHCP snooping
To enable DHCP snooping, execute the ip dhcp snooping enable command in the global configuration mode. In addition, the ip dhcp snooping enable command must be executed in the interface mode for VLANs where DHCP snooping is to be enabled.
The status of system settings for the DHCP snooping function can be checked using the show ip dhcp snooping command.
The interface setting status for the DHCP snooping function can be checked using the show ip dhcp snooping interface command.
3.2. Binding database
If DHCP snooping is enabled, messages between the DHCP server and DHCP client can be monitored to build a binding database.
When the DHCP server assigns an IP address, the following DHCP client information is registered in the binding database.
-
ID numbers of VLANs that received DHCP message from DHCP client
-
Interface information for DHCP messages received from DHCP client
-
DHCP client MAC address
-
DHCP client IP address
-
Lease time
Entry information for the binding database can be checked using the show ip dhcp snooping binding command.
Registered entry information is deleted when the entry lease time is finished or when a DHCP release message is received from the DHCP client.
The binding database can be cleared using the clear ip dhcp snooping binding command.
A maximum of 512 entries can be registered in the binding database.
3.3. DHCP snooping by port type
The ip dhcp snooping trust command can be used for DHCP snooping at two types of LAN/SFP ports, either “trusted” or “untrusted” ports.
Trusted ports connect to trusted DHCP servers, whereas untrusted ports connect DHCP clients.
The actions specified for each are described below.
-
Trusted port
-
DHCP messages are forwarded without filtering.
-
-
Untrusted port
-
DHCP packets sent from a DHCP server are discarded.
-
If a MAC address is registered in the binding database and the following DHCP packets are received from a different interface than the registered interface, then the corresponding DHCP packets are discarded.
-
IP address release request (DHCP release)
-
Notification that a duplicate IP address was detected (DHCP decline)
-
-
If MAC address verification is enabled, the MAC address of the DHCP packet sender is compared to the client hardware address (chaddr). If the addresses do not match, then the corresponding DHCP packets are discarded.
-
If Option 82 is enabled and DHCP packets received from a DHCP client are already appended with Option 82 information, then the corresponding DHCP packets are discarded.
-
At untrusted ports, MAC address verification is enabled by default, but can be disabled using the ip dhcp snooping verify mac-address command.
If a DHCP agent needs to be connected to an untrusted port, MAC address verification must be disabled because the DHCP agent will overwrite the MAC address of DHCP clients sending DHCP packets.
3.4. Option 82
If Option 82 is enabled when DHCP snooping is enabled, then Option 82 information is appended to DHCP packets received from DHCP clients at untrusted ports.
If a DHCP client is connected directly to an untrusted port, Option 82 information is deleted from return packets sent from the DHCP server to the DHCP client before forwarding.
Option 82 is enabled by default. The following Option 82 information is appended to packets.
-
Remote-ID
-
With default settings, packets are appended with the MAC address for the given unit.
-
Format: Suboption type=2, Remote-ID type=0 (Default)
-
-
The ip dhcp snooping information option format remote-id command can be used to append Remote-ID values with any string (single-byte characters or symbols) up to 63 characters long.
-
Format: Suboption type=2, Remote-ID type=1
-
-
-
Circuit-ID
-
With default settings, DHCP packets received from DHCP clients are appended with VLAN ID and IfIndex information.
-
Format: Suboption type=1, Circuit-ID type=2 (Default)
-
-
The ip dhcp snooping information option format-type circuit-id command can be used to change circuit-ID information to VLAN ID and port number information for DHCP packets received from DHCP clients. For physical ports, “Module” values are appended with the stack number or with a “1” setting for standalone or non-stack-compatible models. For logical ports, fixed static “0x11” and LACP “0x12” settings are specified.
“Port” values are appended with the physical port number.-
Format: Suboption type=1, Circuit-ID type=0
-
-
Any character string (single-byte characters or symbols) up to 63 characters long can also be specified for Circuit-ID values.
-
Format: Suboption type=1, Circuit-ID type=1
-
-
-
Subscriber-ID
-
Not appended with default settings.
-
The ip dhcp snooping subscriber-id command can be used to specify any string (single-byte characters or symbols) up to 50 characters long for subscriber-ID values at applicable ports and include the string in Option 82 information.
-
If Option 82 is enabled and a DHCP packet already appended with Option 82 information is received at an untrusted port, that packet is discarded to deter spoofing of Option 82 information.
In order to connect a DHCP relay agent appended with Option 82 to an untrusted port, the ip dhcp snooping information option allow-untrusted command must be executed to allow forwarding DHCP packets that include Option 82 at untrusted ports.
3.5. DHCP packet rate limits
If DHCP snooping is enabled, the ip dhcp snooping limit rate command can be used to specify the maximum number of DHCP packets that can be received per second by the overall system.
If more than the maximum DHCP packets allowed by the limit rate are received, all DHCP packets that exceed the limit rate are discarded. A limit rate is not specified in default settings.
3.6. DHCP snooping statistical information
Statistics about DHCP packets discarded by DHCP snooping can be checked using the show ip dhcp snooping statistics command.
However, that statistical information does not include statistics on DHCP packets discarded due to the limit rate.
The statistical information can be deleted using the clear ip dhcp snooping statistics command.
3.7. SYSLOG output
If DHCP packets are discarded due to a DHCP snooping inspection of DHCP packets received, the reason for discarding the packets can be included in INFO level SYSLOG output.
The SYSLOG output enable/disable setting can be specified using the ip dhcp snooping logging command. SYSLOG output is enabled in default settings.
The following SYSLOG messages are output.
Level | Output conditions | SYSLOG Message |
---|---|---|
INFO |
DHCP server packet received at untrusted port. |
2022/07/21 09:00:00: [DHCPSN]:inf: DHCP dropped due to prohibited message type, VLAN 1, port1.1, DHCPOFFER, 1234.4567.abcd |
INFO |
DHCP RELEASE/DECLINE request was received from an unregistered interface. |
2022/07/21 09:00:00: [DHCPSN]:inf: DHCP dropped due to source interface mismatch, VLAN 1, port1.1, DHCPRELEASE, 5c5a.c7d6.9e1e |
INFO |
Sender MAC and chaddr information do not match. |
2022/07/21 09:00:00: [DHCPSN]:inf: DHCP dropped due to source mac mismatch, VLAN 1, port1.1, DHCPINFORM, 001c.4321.abcd |
INFO |
Packet appended with Option 82 was received at untrusted port. |
2022/07/21 09:00:00: [DHCPSN]:inf: DHCP dropped due to option82 value, VLAN 1, port1.1, DHCPINFORM, 5c5a.c7d6.9e1e |
4. Related Commands
Related commands are indicated below.
Operations | Operating commands |
---|---|
Enable/disable setting for DHCP snooping (system) |
ip dhcp snooping enable/disable |
Enable/disable setting for DHCP snooping (VLAN) |
ip dhcp snooping enable/disable |
DHCP snooping port type setting |
ip dhcp snooping trust |
Enable/disable setting for MAC address verification |
ip dhcp snooping verify mac-address enable/disable |
Enable/disable setting for Option 82 |
ip dhcp snooping information option enable/disable |
Setting for allowing packets appended with Option 82 to be received at untrusted ports |
ip dhcp snooping information option allow-untrusted |
Remote-ID setting for Option 82 |
ip dhcp snooping information option format remote-id |
Circuit-ID setting for Option 82 |
ip dhcp snooping information option format-type circuit-id |
Subscriber-ID setting |
ip dhcp snooping subscriber-id |
DHCP packet receiving limit rate setting |
ip dhcp snooping limit rate |
Enable/disable setting for SYSLOG output when DHCP packets are discarded |
ip dhcp snooping logging enable/disable |
Shows DHCP snooping system setting information |
show ip dhcp snooping |
Shows DHCP snooping interface settings information |
show ip dhcp snooping interface |
Display Binding Database |
show ip dhcp snooping binding |
Shows DHCP snooping statistical information |
show ip dhcp snooping statistics |
Clears binding database |
clear ip dhcp snooping binding |
Clears DHCP snooping statistical information |
clear ip dhcp snooping statistics |
5. Examples of Command Execution
5.1. Designating trusted interfaces
This specifies trusted interfaces (LAN port #1) for connecting DHCP servers.
Yamaha(config)#interface port1.1 Yamaha(config-if)#ip dhcp snooping trust Yamaha(config-if)#exit
5.2. Enabling DHCP snooping
This enables DHCP snooping for the system and VLAN #1.
Yamaha(config)#ip dhcp snooping enable Yamaha(config)#interface vlan1 Yamaha(config-if)#ip dhcp snooping enable Yamaha(config-if)#exit
6. Points of Caution
-
None