12.1.2 Monitoring DHCP Packets
- <Structure of this section>
(1) Port type
DHCP snooping categorizes ports as follows when it monitors DHCP packets:
-
A port is trusted when a trusted terminal is connected to it, such as DHCP servers and department servers.
-
A port is untrusted when an untrusted terminal is connected to it, such as DHCP clients.
Do not connect DHCP servers to untrusted ports.
The following figure shows the two port categories used when dynamic ARP inspection is enabled and an example of devices connected to such ports.
|
When you use the ip dhcp snooping configuration command to enable DHCP snooping, all the ports become untrusted by default. Set the port to which a DHCP server is connected as a trusted port. To do so, use the ip dhcp snooping trust configuration command.
Note that DHCP snooping monitors the VLANs that have been set by using the ip dhcp snooping vlan configuration command.
(2) Learning terminal information
The following figure provides an overview of how the Switch learns terminal information.
|
The switch monitors the packets received on the trusted port from the DHCP server. When the DHCP server distributes an IP address, the switch registers the terminal information in the binding database. The target of registration in the binding database is the terminal data of the terminal connected to untrust.
The switch also monitors the request for release of packets received on the untrusted port from the DHCP client. When the DHCP client issues an IP address, the switch deletes the terminal information from the binding database.
Two methods are available for registering information in a binding database:
-
Dynamic registration
The switch registers terminal information when an IP address is distributed from a DHCP server.
Usually, the Switch use dynamic registration to register terminal information.
-
Static registration
You can use the ip source binding configuration command to register terminal information.
You usually use static registration to connect a server (such as a department server) with a fixed IP address to an untrusted port. You can permit communication by statically registering terminal information in the binding database.
The following table describes the types of terminal information that are registered in a binding database.
Item |
Dynamic registration |
Static registration |
---|---|---|
Terminal MAC address. |
MAC address of a DHCP client |
MAC address of a terminal with a fixed IP address |
Terminal IP address |
IP address distributed by the DHCP server |
IP address of a terminal with a fixed IP address |
The addresses in the following ranges are available:
|
||
VLAN containing the terminal |
ID of the VLAN containing the port or channel group to which the terminal is connected |
|
Number of the port to which the terminal is connected |
Number of the port or channel group to which the terminal is connected |
|
Aging time |
Length of time until an entry is deleted due to aging. The lease time of the IP address distributed by the DHCP server is used for this item. |
Aging is not applicable. |
(3) Saving the binding database
Use configuration commands to save a binding database and to restore it when the Switch is restarted.
(a) Conditions for Saving Binding Databases
To save a binding database, use the ip dhcp snooping database url configuration command.
The saving of the binding database starts when the save delay time in the configuration information expires.
(b) Save when write wait time expires
The save delay time refers to the period of time between the point at which saving of the binding database is specified (called a save event) and the point at which saving of the binding database actually starts at the save location. The save delay timer starts when one of the following save events occurs and the saving of the binding database to the specified save location starts when the timer expires:
-
When terminal information is dynamically registered, updated, or deleted in a binding database
-
When the ip dhcp snooping database url configuration command is specified (includes a change of save location)
-
When the clear ip dhcp snooping binding operation command is executed
To set the save delay time, use the ip dhcp snooping database write-delay configuration command.
When the save delay timer starts due to a save event, the timer does not stop until it expires. Even if terminal information is registered, updated, or deleted in the binding database before the timer expires, the timer will not be restarted.
The following figure shows the relationship between save events and the save delay time. In this figure, the save event is the registration of terminal information in the binding database.
|
(c) Binding Database Destination
As the save location for the binding database, you can select either internal flash memory or an external memory card. To set the save location, use the ip dhcp snooping database url configuration command.
The items that are saved are all the entries in the binding database that exist at the time of the current write operation. The saved items will be overwritten by the next write operation.
(d) Restoring a Saved Binding Database
The saved binding database is restored when the Switch is started. The database will be restored only if both of the following conditions are met when the switch is started:
-
The save location has been set by using the ip dhcp snooping database url configuration command.
-
If the save location is an external memory card, the applicable card has been inserted.
(4) Inspecting DHCP Packets
The following figure provides an overview of DHCP packet inspection.
|
The switch monitors the DHCP packets from terminals that are connected to untrusted ports to prevent the following:
-
Untrusted DHCP servers from distributing IP addresses
When the Switch receives a DHCP packet on an untrusted port from an untrusted DHCP server, the switch discards the DHCP packet, which prevents untrusted DHCP servers from distributing IP addresses.
-
Prevents untrusted DHCP clients from releasing IP addresses
When the Switch receives an IP address release request on an untrusted port from a terminal that is not registered in the binding database, the Switch discards the DHCP packet, which prevents the release of IP addresses from terminals that are given IP addresses by illegitimate DHCP servers.
Similarly, when the Switch receives an IP address redundancy detection report, lease time update, or request for optional information, the Switch discards the DHCP packet, which prevents untrusted DHCP clients from illegally releasing IP addresses, acquiring IP addresses, or acquiring optional information.
-
Prevents MAC address spoofing
When the source MAC address in a DHCP packet received on an untrusted port does not match the client hardware address (chaddr) in the DHCP packet, the Switch discards the DHCP packet, which prevents MAC address spoofing.
-
Prevents Option 82 spoofing
When data is added in the Option 82 field in a DHCP packet received on an untrusted port, the Switch drops the DHCP packet, which prevents Option 82 spoofing.