12.1.2 Monitoring DHCP Packets

<Structure of this section>

(1) Port type

DHCP snooping categorizes ports as follows when it monitors DHCP packets:

Trusted port

A port is trusted when a trusted terminal is connected to it, such as DHCP servers and department servers.
Untrusted port

A port is untrusted when an untrusted terminal is connected to it, such as DHCP clients.

Do not connect DHCP servers to untrusted ports.

The following figure shows the two port categories used when dynamic ARP inspection is enabled and an example of devices connected to such ports.

Figure 12-2: Port types

When you use the ip dhcp snooping configuration command to enable DHCP snooping, all the ports become untrusted by default. Set the port to which a DHCP server is connected as a trusted port. To do so, use the ip dhcp snooping trust configuration command.

Note that DHCP snooping monitors the VLANs that have been set by using the ip dhcp snooping vlan configuration command.

(2) Learning terminal information

The following figure provides an overview of how the Switch learns terminal information.

Figure 12-3: Overview of terminal information learning operations

The switch monitors the packets received on the trusted port from the DHCP server. When the DHCP server distributes an IP address, the switch registers the terminal information in the binding database. The target of registration in the binding database is the terminal data of the terminal connected to untrust.

The switch also monitors the request for release of packets received on the untrusted port from the DHCP client. When the DHCP client issues an IP address, the switch deletes the terminal information from the binding database.

Two methods are available for registering information in a binding database:

Dynamic registration

The switch registers terminal information when an IP address is distributed from a DHCP server.

Usually, the Switch use dynamic registration to register terminal information.
Static registration

You can use the ip source binding configuration command to register terminal information.

You usually use static registration to connect a server (such as a department server) with a fixed IP address to an untrusted port. You can permit communication by statically registering terminal information in the binding database.

The following table describes the types of terminal information that are registered in a binding database.

Table 12-2: Terminal information to be registered in the binding database
Item	Dynamic registration	Static registration
Terminal MAC address.	MAC address of a DHCP client	MAC address of a terminal with a fixed IP address
Terminal IP address	IP address distributed by the DHCP server	IP address of a terminal with a fixed IP address
Terminal IP address	The addresses in the following ranges are available: 1.0.0.0 ~ 126.255.255.255 128.0.0.0 ~ 223.255.255.255
VLAN containing the terminal	ID of the VLAN containing the port or channel group to which the terminal is connected
Number of the port to which the terminal is connected	Number of the port or channel group to which the terminal is connected
Aging time	Length of time until an entry is deleted due to aging. The lease time of the IP address distributed by the DHCP server is used for this item.	Aging is not applicable.

(3) Saving the binding database

Use configuration commands to save a binding database and to restore it when the Switch is restarted.

(a) Conditions for Saving Binding Databases

To save a binding database, use the ip dhcp snooping database url configuration command.

The saving of the binding database starts when the save delay time in the configuration information expires.

(b) Save when write wait time expires

The save delay time refers to the period of time between the point at which saving of the binding database is specified (called a save event) and the point at which saving of the binding database actually starts at the save location. The save delay timer starts when one of the following save events occurs and the saving of the binding database to the specified save location starts when the timer expires:

When terminal information is dynamically registered, updated, or deleted in a binding database
When the ip dhcp snooping database url configuration command is specified (includes a change of save location)
When the clear ip dhcp snooping binding operation command is executed

To set the save delay time, use the ip dhcp snooping database write-delay configuration command.

When the save delay timer starts due to a save event, the timer does not stop until it expires. Even if terminal information is registered, updated, or deleted in the binding database before the timer expires, the timer will not be restarted.

The following figure shows the relationship between save events and the save delay time. In this figure, the save event is the registration of terminal information in the binding database.

Figure 12-4: Relationship between save timing and write wait time

(c) Binding Database Destination

As the save location for the binding database, you can select either internal flash memory or an external memory card. To set the save location, use the ip dhcp snooping database url configuration command.

The items that are saved are all the entries in the binding database that exist at the time of the current write operation. The saved items will be overwritten by the next write operation.

(d) Restoring a Saved Binding Database

The saved binding database is restored when the Switch is started. The database will be restored only if both of the following conditions are met when the switch is started:

The save location has been set by using the ip dhcp snooping database url configuration command.
If the save location is an external memory card, the applicable card has been inserted.

(4) Inspecting DHCP Packets

The following figure provides an overview of DHCP packet inspection.

Figure 12-5: Outline of DHCP Packet-Inspection Operation

The switch monitors the DHCP packets from terminals that are connected to untrusted ports to prevent the following:

Untrusted DHCP servers from distributing IP addresses

When the Switch receives a DHCP packet on an untrusted port from an untrusted DHCP server, the switch discards the DHCP packet, which prevents untrusted DHCP servers from distributing IP addresses.
Prevents untrusted DHCP clients from releasing IP addresses

When the Switch receives an IP address release request on an untrusted port from a terminal that is not registered in the binding database, the Switch discards the DHCP packet, which prevents the release of IP addresses from terminals that are given IP addresses by illegitimate DHCP servers.

Similarly, when the Switch receives an IP address redundancy detection report, lease time update, or request for optional information, the Switch discards the DHCP packet, which prevents untrusted DHCP clients from illegally releasing IP addresses, acquiring IP addresses, or acquiring optional information.
Prevents MAC address spoofing

When the source MAC address in a DHCP packet received on an untrusted port does not match the client hardware address (chaddr) in the DHCP packet, the Switch discards the DHCP packet, which prevents MAC address spoofing.
Prevents Option 82 spoofing

When data is added in the Option 82 field in a DHCP packet received on an untrusted port, the Switch drops the DHCP packet, which prevents Option 82 spoofing.