Table of Contents
Advertisement
DHCP Snooping Overview
the hardware forwards client messages and copies server messages to the CPU so DHCP snooping
can learn the binding.
The DHCP snooping application processes incoming DHCP messages. For DHCP RELEASE and
DHCP DECLINE messages, the application compares the receive interface and VLAN with the
clientʹs interface and VLAN in the bindings database. If the interfaces do not match, the
application logs the event and drops the message. For valid client messages, DHCP snooping
compares the source MAC address to the DHCP client hardware address. Where there is a
mismatch, DHCP snooping logs and drops the packet. You can disable this feature using the set
dhcpsnooping verify mac‐address disable command.
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP
packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules
and updates the bindings database. If a client message passes filtering rules, the message is placed
into the software forwarding path, where it may be processed by the DHCP relay agent, the local
DHCP server, or forwarded as an IP packet.
DHCP snooping forwards valid DHCP client messages received on non‐routing VLANs. The
message is forwarded on all trusted interfaces in the VLAN. If a DHCP relay agent or local DHCP
server co‐exist with the DHCP snooping feature, DHCP client messages will be sent to the DHCP
relay agent or local DHCP server to process further.
The DHCP snooping application does not forward server messages since they are forwarded in
hardware.
Building and Maintaining the Database
The DHCP snooping application uses DHCP messages to build and maintain the bindings
database. The bindings database includes only data for clients on untrusted ports. The bindings
database includes the following information for each entry:
•
Client MAC address
•
Client IP address
•
Time when clientʹs lease expires
•
Client VLAN ID
•
Client port
DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages.
Tentative bindings tie a client to a port (the port where the DHCP client message was received).
Tentative bindings are completed when DHCP snooping learns the clientʹs IP address from a
DHCP ACK message on a trusted port. DHCP snooping removes bindings in response to
DECLINE, RELEASE, and NACK messages. The DHCP snooping application ignores the ACK
messages sent in reply to the DHCP Inform messages received on trusted ports. You can also
enter static bindings into the bindings database.
When a switch learns of new bindings or when it loses bindings, the switch immediately updates
the entries in the database.
If the absolute lease time of a snooping database entry expires, then that entry will be removed.
Care should be taken to ensure that system time is consistent across the reboots. Otherwise,
snooping entries will not expire properly. If a host sends a DHCP RELEASE message while the
17-2 DHCP Snooping and Dynamic ARP Inspection
Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a
DHCP server that does not reside on the same broadcast domain as the client, MAC address
verification should be disabled in order to allow DHCP RELEASE packets to be processed by the
DHCP snooping functionality and client bindings removed from the bindings database.
Advertisement
Table of Contents
