Enabling DHCP Snooping (non-ELS)

 

DHCP snooping enables the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. The switch builds and maintains a database of valid bindings between IP address and MAC addresses (IP-MAC bindings) called the DHCP snooping database.

Note

If you configure DHCP snooping for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

Enabling DHCP Snooping

You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs.

To enable DHCP snooping:

  • On a specific VLAN:

    [edit ethernet-switching-options secure-access port]

    user@switch# set vlan vlan-name examine-dhcp
  • On all VLANs:

    [edit ethernet-switching-options secure-access port]

    user@switch# set vlan all examine-dhcp


To enable DHCPv6 snooping:

  • On a specific VLAN:

    [edit ethernet-switching-options secure-access port]

    user@switch# set vlan vlan-name examine-dhcpv6
  • On all VLANs:

    [edit ethernet-switching-options secure-access port]

    user@switch# set vlan all examine-dhcpv6


Tip

By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the switch to store the database file either locally or remotely. See Configuring Persistent Bindings in the DHCP or DHCPv6 (non-ELS).

Tip

For private VLANs (PVLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from PVLAN trunk ports are not snooped.

Applying CoS Forwarding Classes to Prioritize Snooped Packets

On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay, and might also need to configure the port security features of DHCP snooping on the ports through which those packets enter or leave.

Note

Prioritizing snooped packets by using CoS forwarding classes is not supported on the QFX Series switch.

To apply CoS forwarding classes and queues to snooped packets:

  1. Create a user-defined forwarding class to be used for prioritizing snooped packets:
    [edit class-of-service]

    user@switch# set forwarding-classes class class-name queue-num queue-number
  2. Enable DHCP snooping on a specific VLAN or on all VLANs and apply the required forwarding class on the snooped packets:
    • On a specific VLAN:

      [edit ethernet-switching-options secure-access port]

      user@switch# set vlan vlan-name examine-dhcp forwarding-class class-name
    • On all VLANs:

      [edit ethernet-switching-options secure-access port]

      user@switch# set vlan all examine-dhcp forwarding-class class-name
    Note

    Replace examine-dhcp with examine-dhcpv6 to enable DHCPv6 snooping.

Verifying That DHCP Snooping Is Working Correctly

Purpose

Verify that DHCP snooping is working on the switch and that the DHCP snooping database is correctly populated with both dynamic and static bindings.

Action

Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.

Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:

user@switch> show dhcp snooping binding

Meaning

When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. The statically configured entry never expires.

If the DHCP server had been configured as untrusted, no entries would be added to the DHCP snooping database and nothing would be shown in the output of the show dhcp snooping binding command.