Understanding DHCP Snooping (non-ELS)
This topic includes information about enabling Dynamic Host Configuration Protocol (DHCP) snooping for Junos EX Series switches that do not support the Enhanced Layer 2 Software (ELS). If your switch runs a version of Junos that supports ELS, see Understanding DHCP Snooping (ELS). For ELS details, see Using the Enhanced Layer 2 Software CLI.
DHCP snooping enables the switching device, which can be either a switch or a router, to monitor DHCP messages received from untrusted devices connected to the switching device. When DHCP snooping is enabled on a VLAN, the system examines DHCP messages sent from untrusted hosts associated with the VLAN and extracts their IP addresses and lease information. This information is used to build and maintain the DHCP snooping database. Only hosts that can be verified using this database are allowed access to the network.
DHCP Snooping Basics
The Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically, leasing addresses to devices so that the addresses can be reused when no longer needed. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.
DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port).
By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping.
When DHCP snooping is enabled, the lease information from the switching device is used to create the DHCP snooping table, also known as the binding table. The table shows the IP-MAC binding, as well as the lease time for the IP address, type of binding, VLAN name, and interface for each host.
DHCP snooping is disabled in the default configuration of the switching device. You
must explicitly enable DHCP snooping by setting examine-dhcp at the [edit
ethernet-switching-options secure-access-port] hierarchy level.
Entries in the DHCP snooping database are updated in these events:
When a DHCP client releases an IP address (sends a DHCPRELEASE message). In this event, the associated mapping entry is deleted from the database.
If you move a network device from one VLAN to another. In this event, typically the device needs to acquire a new IP address. Therefore, its entry in the database, including its VLAN ID, is updated.
When the lease time (timeout value) assigned by the DHCP server expires. In this event, the associated entry is deleted from the database.
By default, the IP-MAC bindings are lost when the switching device is rebooted and DHCP
clients (the network devices, or hosts) must reacquire bindings. However, you can configure
the bindings to persist by setting the dhcp-snooping-file statement to store the
database file either locally or remotely.
You can configure the switching device to snoop DHCP server responses from particular VLANs only. This prevents spoofing of DHCP server messages.
You configure DHCP snooping per VLAN, not per interface (port). DHCP snooping is disabled by default on switching devices.
DHCP Snooping Process
The basic process of DHCP snooping consists of the following steps:
When DHCP snooping is enabled for a VLAN, all DHCP packets sent from the network devices in that VLAN are subjected to DHCP snooping. The final IP-MAC binding occurs when the DHCP server sends DHCPACK to the DHCP client.
The network device sends a DHCPDISCOVER packet to request an IP address.
The switching device forwards the packet to the DHCP server.
The server sends a DHCPOFFER packet to offer an address. If the DHCPOFFER packet is from a trusted interface, the switching device forwards the packet to the DHCP client.
The network device sends a DHCPREQUEST packet to accept the IP address. The switching device adds an IP-MAC placeholder binding to the database. The entry is considered a placeholder until a DHCPACK packet is received from the server. Until then, the IP address could still be assigned to some other host.
The server sends a DHCPACK packet to assign the IP address or a DHCPNAK packet to deny the address request.
The switching device updates the DHCP snooping database according to the type of packet received:
If the switching device receives a DHCPACK packet, it updates lease information for the IP-MAC bindings in its database.
If the switching device receives a DHCPNACK packet, it deletes the placeholder.
The DHCP snooping database is updated only after the DHCPREQUEST packet has been sent.
For general information about the messages that the DHCP client and DHCP server exchange during the assignment of an IP address for the client, see the Junos OS Administration Library.
DHCPv6 Snooping
DHCPv6 snooping is the equivalent of DHCP snooping for IPv6. The process for DHCPv6 snooping is similar to that for DHCP snooping, but uses different names for the messages exchanged between the client and server to assign IPv6 addresses. Table 1 shows DHCPv6 messages and their DHCP equivalents.
Sent by |
DHCPv6 Messages |
Equivalent DHCP Messages |
|---|---|---|
Client |
SOLICIT |
DHCPDISCOVER |
Server |
ADVERTISE |
DHCPOFFER |
Client |
REQUEST, RENEW, REBIND |
DHCPREQUEST |
Server |
REPLY |
DHCPACK/DHCPNAK |
Client |
RELEASE |
DHCPRELEASE |
Client |
INFORMATION-REQUEST |
DHCPINFORM |
Client |
DECLINE |
DHCPDECLINE |
Client |
CONFIRM |
none |
Server |
RECONFIGURE |
DHCPFORCERENEW |
Client |
RELAY-FORW, RELAY-REPLY |
none |
Rapid Commit for DHCPv6
DHCPv6 provides for a Rapid Commit option (DHCPv6 option 14), which, when supported by the server and set by the client, shortens the exchange from a four-way relay to a two-message handshake. For more information about enabling the Rapid Commit option, see Configuring DHCPv6 Rapid Commit (MX Series, EX Series).
In the rapid commit process:
The DHCPv6 client sends out a SOLICIT message that contains a request that rapid assignment of address, prefix, and other configuration parameters be preferred.
If the DHCPv6 server supports rapid assignment, it responds with a REPLY message, which contains the assigned IPv6 address and prefix and other configuration parameters.
DHCP Server Access
You can configure a switching device’s access to the DHCP server in three ways:
- Switching Device, DHCP Clients, and DHCP Server Are All on the Same VLAN
- Switching Device Acts as DHCP Server
- Switching Device Acts as Relay Agent
Switching Device, DHCP Clients, and DHCP Server Are All on the Same VLAN
When the switching device, DHCP clients, and DHCP server are all members of the same VLAN, the DHCP server can be connected to the switching device in one of two ways:
The server is directly connected to the same switching device as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). The VLAN is enabled for DHCP snooping to protect the untrusted access ports. The trunk port is configured by default as a trusted port. See Figure 1.
The server is connected to an intermediary switching device (Switching Device 2). The DHCP clients are connected to Switching Device 1, which is connected through a trunk port to Switching Device 2. Switching Device 2 is being used as a transit device. The VLAN is enabled for DHCP snooping to protect the untrusted access ports. The trunk port is configured by default as a trusted port. As shown in Figure 2, ge-0/0/11 is a trusted trunk port.
Switching Device Acts as DHCP Server
The switching device acting as a DHCP server is not supported on the QFX Series.
The switching device itself is configured as a DHCP server; this is known as a local configuration. See Figure 3.
Switching Device Acts as Relay Agent
The switching device functions as a relay agent when the DHCP clients or the DHCP server is connected to the device through a Layer 3 interface. The Layer 3 interfaces on the switching device are configured as routed VLAN interfaces (RVIs), which are also known as integrated routing and bridging (IRB) interfaces. The trunk interfaces are trusted by default.
These two scenarios illustrate the switching device acting as a relay agent:
The DHCP server and clients are in different VLANs.
The switching device is connected to a router that is in turn connected to the DHCP server. See Figure 4.
Static IP Address Additions to the DHCP Snooping Database
You can add specific static IP addresses to the database as well as have the addresses dynamically assigned through DHCP snooping. To add static IP addresses, you supply the IP address, the MAC address of the device, the interface on which the device is connected, and the VLAN with which the interface is associated. No lease time is assigned to the entry. The statically configured entry never expires.
Snooping DHCP Packets That Have Invalid IP Addresses
If you enable DHCP snooping on a VLAN and then devices on that VLAN send DHCP packets that request invalid IP addresses, these invalid IP addresses are stored in the DHCP snooping database until they are deleted when their default timeout is reached. To eliminate this unnecessary consumption of space in the DHCP snooping database, the switching device drops the DCHP packets that request invalid IP addresses, preventing the snooping of these packets. The invalid IP addresses are:
0.0.0.0
128.0.x.x
191.255.x.x
192.0.0.x
223.255.255.x
224.x.x.x
240.x.x.x to 255.255.255.255
Prioritizing Snooped Packets
Prioritizing snooped packets is not supported on the QFX Series and the EX4600 switch.
You can use class-of-service (CoS) forwarding classes and queues to prioritize DHCP snooped packets for a specified VLAN. This type of configuration places the DHCP snooped packets for that VLAN in a specified egress queue, so that the security procedure does not interfere with the transmission of high-priority traffic.