DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. When DHCP snooping is enabled, the system snoops the DHCP messages to view DHCP lease information and build and maintain a database of valid IP address to MAC address (IP-MAC) bindings called the DHCP snooping database. Only clients with valid bindings are allowed access to the network.

DHCP Snooping Basics

Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically, “leasing” addresses to devices so that the addresses can be reused when no longer needed. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.

DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port). By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping. You can modify these defaults on each of the switch's interfaces.

When DHCP snooping is enabled, the lease information from the switch (which is a DHCP client) is used to create the DHCP snooping database, a mapping of IP address to VLAN–MAC-address pairs. For each VLAN–MAC-address pair, the database stores the corresponding IP address.

• When a DHCP client releases an IP address (sends a DHCPRELEASE message), the associated mapping entry is deleted from the database.
• If you move a network device from one VLAN to another, typically the device has to acquire a new IP address, so its entry in the database, including the VLAN ID, is updated.
• When the lease time (timeout value) assigned by the DHCP server expires, the associated entry is deleted from the database.

Tip: By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the dhcp-snooping-file statement to store the database file either locally or remotely.

You can configure the switch to snoop DHCP server responses only from particular VLANs. Doing this prevents spoofing of DHCP server messages.

You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs.

Note: If you configure DHCP for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

Tip: For private VLANs (PVLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from PVLAN trunk ports are not snooped.

DHCP Snooping Process

1. Device sends DHCPDISCOVER to request IP address.
2. Switch forwards the packet to the DHCP server.
3. Server sends DHCPOFFER to offer an address. If the DHCPOFFER is from a trusted interface, switch forwards the packet to the DHCP client.
4. Device sends DHCPREQUEST to accept the IP address. Switch snoops this packet and adds IP-MAC placeholder binding to the database. The entry is considered a placeholder until a DHCPACK is received from the server. Until then, the IP address could still be assigned to some other host.
5. Server sends DHCPACK to assign the IP address or DHCPNAK to deny the address request.
6. Switch updates the DHCP database in accordance with the type of packet received:
   • Upon receipt of DHCPACK, switch updates lease information for the IP-MAC binding in its database.
   • Upon receipt of DHCPNACK, switch deletes the placeholder.

Note: DHCPDISCOVER and DHCPOFFER packets are not snooped. The DHCP database is updated only after the DHCPREQUEST packet has been sent.

For general information about the messages that the DHCP client and DHCP server exchange during the assignment of an IP address for the client, see the Junos OS System Basics Configuration Guide.

DHCP Server Access

Switch access to the DHCP server can be configured in three ways:

• Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN
• Switch Acts as DHCP Server
• Switch Acts as Relay Agent

Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN

When the switch, DHCP clients, and DHCP server are all members of the same VLAN, the DHCP server can be connected to the switch in one of two ways:

• The server is directly connected to the same switch as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). You must configure the port that connects the server to the switch as a trusted port. See Figure 1.
• The server is directly connected to a switch that is itself directly connected through a trunk port to the switch that the DHCP clients are connected to. The trunk port is configured by default as a trusted port. The switch that the DHCP server is connected to is not configured for DHCP snooping. See Figure 2—in the figure, ge-0/0/11 is a trusted trunk port.

Figure 1: DHCP Server Connected Directly to Switch

Figure 2: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to Switch 1 Through a Trusted Trunk Port

Switch Acts as DHCP Server

Note: This is not supported on the QFX Series switch.

The switch itself is configured as a DHCP server; this is known as a “local” configuration. See Figure 3.

Figure 3: Switch Is the DHCP Server

Switch Acts as Relay Agent

The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface (on the switch, these interfaces are configured as routed VLAN interfaces, or RVIs). These trunk interfaces are trusted by default.

• The DHCP server and clients are in different VLANs.
• The switch is connected to a router that is in turn connected to the DHCP server. See Figure 4.

Figure 4: Switch Acting as Relay Agent Through Router to DHCP Server

DHCP Snooping Table

The software creates a DHCP snooping information table that displays the content of the DHCP snooping database. The table shows current IP-MAC bindings, as well as lease time, type of binding, names of associated VLANs, and associated interface. To view the table, type show dhcp snooping binding at the operational mode prompt:

DHCP Snooping Information:
MAC address        IP address   Lease (seconds)  Type     VLAN      Interface

00:05:85:3A:82:77  192.0.2.17   600              dynamic  employee  ge-0/0/1.0

00:05:85:3A:82:79  192.0.2.18   653              dynamic  employee  ge-0/0/1.0

00:05:85:3A:82:80  192.0.2.19   720              dynamic  employee  ge-0/0/2.0


            

Static IP Address Additions to the DHCP Snooping Database

You can add specific static IP addresses to the database as well as have the addresses dynamically assigned through DHCP snooping. To add static IP addresses, you supply the IP address, the MAC address of the device, the interface on which the device is connected, and the VLAN with which the interface is associated. No lease time is assigned to the entry. The statically configured entry never expires.

Snooping DHCP Packets That Have Invalid IP Addresses

If you enable DHCP snooping on a VLAN and then devices on that VLAN send DHCP packets that request invalid IP addresses, these invalid IP addresses will be stored in the DHCP snooping database until they are deleted when their default timeout is reached. To eliminate this unnecessary consumption of space in the DHCP snooping database, the switch drops the DCHP packets that request invalid IP addresses, preventing the snooping of these packets. The invalid IP addresses are:

• 0.0.0.0
• 128.0.x.x
• 191.255.x.x
• 192.0.0.x
• 223.255.255.x
• 224.x.x.x
• 240.x.x.x to 255.255.255.255

Prioritizing Snooped Packets

Note: This is not supported on the QFX Series.

You can use CoS forwarding classes and queues to prioritize DHCP snooped packets for a specified VLAN. This type of configuration places the DHCP snooped packets for that VLAN in the desired egress queue, so that the security procedure does not interfere with the transmittal of high-priority traffic.