Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell EMC SmartFabric OS10 User Guide Release 10.5.0

DHCP snooping

DHCP snooping is a layer 2 security feature that helps networking devices to monitor DHCP messages and block untrusted or rogue DHCP servers.

When you enable DHCP snooping on a switch, it begins monitoring transactions between trusted DHCP servers and DHCP clients and uses the information to build the DHCP snooping binding table. You configure interfaces that connect to DHCP servers as trusted interfaces. All other interfaces are untrusted by default.

The DHCP snooping binding table contains the following information:

  • Client IP addresses
  • Client MAC addresses
  • Interface facing the clients
  • Client VLAN
  • Lease time
  • DHCP binding type – static or dynamic

The switch considers DHCP servers connected to trusted interfaces on the switch as legitimate servers. When a switch receives DHCP server-initiated packets (UDP destination port 67) on an untrusted interface, it drops the packet.

When a switch receives DHCP renew, release, or decline messages from a client, it checks the DHCP snooping binding table for a match. If the information in the DHCP message matches the table, the switch forwards the message to the DHCP server. If the information does not match, the switch interprets the client as an unauthorized client and drops the packet.

The DHCP snooping switch removes a dynamically-learned DHCP snooping binding entry when one of the following occurs:

  • Lease expiry
  • DHCP RELEASE packet received from the client
  • DHCP DECLINE packet received from the client
  • User actions, such as DHCP clear or disabling DHCP snooping

You can add a static DHCP snooping binding entry using the CLI. If you add a static entry for a client, any dynamic entry that is present for the same client is overwritten. The switch does not remove static entries if it receives DHCP RELEASE or DHCP DECLINE packets.

By default, DHCP snooping is disabled globally and enabled on VLANs. For the DHCP snooping feature to work, enable it globally.

NOTE If you move a DHCP client from an untrusted interface to another untrusted interface within the VLAN, the DHCP snooping binding database is not updated. The switch drops subsequent packets from the client. However, if you move a DHCP client from an untrusted interface to a trusted interface, there is no impact to the traffic from the client.

Restrictions for DHCP snooping

  • The management VLAN does not support DHCP snooping.
  • VxLAN bridges do not support DHCP snooping.
  • The maximum number of supported DHCP snooping binding entries is 4000.
  • OS10 does not support multi-hop DHCP snooping.
  • For the DHCP snooping functionality to work correctly, ensure that the DHCP server supports option 82 (RFC 3046).
  • Enable option 82 (RFC 3046) on the DHCP server for the DHCP Snooping functionality to work correctly.

Rogue DHCP server detection

In the following topology, a trusted DHCP server, a DHCP client, and a rogue DHCP server are connected to the DHCP snooping switch. The DHCP client and DHCP server are on the same VLAN. The physical interface eth 1/1/2 is a trusted interface. When the rogue DHCP server sends a DHCP packet to the client, the switch analyzes the packet. As the rogue server is connected to the switch to an untrusted eth 1/1/3 interface the switch deems the server as a rogue DHCP server and drops the packet.

rogue DHCP server detection

DHCP snooping with DHCP relay

In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.

DHCP snooping with DHCP relay

DHCP snooping in a VLT environment

OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment:

  • Enable DHCP snooping on both VLT peers.
  • Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.

In the following VLT topology, AGG1 and AGG2 are VLT peers and have VLT port-channel interfaces connected to the VM server and Core switch. The DHCP server is reachable through the CORE switch. The following describes the functioning of DHCP snooping in a VLT environment:

  • One of the VLT peers receives a DHCP client packet from a DHCP client on the VM server through the VLT port-channel interface. The switch processes this packet.
  • The VLT peer forwards the DHCP client packet to the Core switch through the VLT port-channel interface.
  • The Core switch forwards the DHCP reply packet from the DHCP server to one of the VLT peers, which processes the packet.
  • If the DHCP reply packet is from a trusted DHCP server, the VLT peer forwards the reply packet to the DHCP client on the VM server.
  • The VLT peers synchronize the DHCP snooping binding table.
DHCP snooping with VLT

Enable and configure DHCP snooping globally

  1. Enable DHCP snooping globally in CONFIGURATION mode.

    ip dhcp snooping
  2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode.

    ip dhcp snooping trust

Add static DHCP snooping entry in the binding table

  • Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.

    ip dhcp snooping binding mac mac-address vlan vlan-id ip ip-address interface [ethernet slot/port/sub-port | port-channel port-channel-id | VLTi]

Example of adding static DHCP snooping entry

OS10(config)# ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/4

Remove static DHCP snooping entry from the binding table

  • Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode.

    no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/port/sub-port | port-channel port-channel-id]

Example for removing static DHCP snooping entry in the binding table

OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/4

Clear dynamically-learned entries from DHCP snooping binding table

  • Use the following command in EXEC mode:

    clear ip dhcp snooping binding [mac mac-address] [vlan vlan-id] [interface {ethernet slot/port/sub-port | port-channel port-channel-id}]
    CAUTION Clearing the DHCP snooping binding table using the clear ip dhcp snooping binding command also clears the Source Address Validation (SAV) and Dynamic ARP Inspection (DAI) entries on the system. This affects the traffic from clients that are connected to the DHCP snooping-enabled VLANs.

Example for clearing dynamically-learned entries from DHCP snooping binding table

The following example clears all dynamic DHCP snooping binding entries that are associated with the MAC address 04:56:79:86:73:fe

OS10# clear ip dhcp snooping binding mac 04:56:79:86:73:fe

The following example clears all dynamic DHCP snooping binding entries that are associated with VLAN 100:

OS10# clear ip dhcp snooping binding vlan 100

The following example clears all the dynamic DHCP snooping binding entries that are associated with VLAN 100 with MAC address 04:56:79:86:73:fe on port-channel 10:

OS10# clear ip dhcp snooping binding mac 04:56:79:86:73:fe  vlan 100 port-channel 10

View contents of DHCP binding table

  • Use the following command in EXEC mode:

    show ip dhcp snooping binding [vlan vlan-name]

Example for viewing contents of DHCP binding table

OS10# show ip dhcp snooping binding
Codes :  S - Static D – Dynamic
IPv4 Address    MAC Address       Expires(Sec)  Type VLAN    Interface
=========================================================================
10.1.1.22      11:22:11:22:11:22    120331      S    100     ethernet1/1/4
33.1.1.44      11:22:11:22:11:23    120331      S    200     port-channel100
103.1.1.5      11:22:11:22:11:24    120331      D    300     ethernet1/1/5:4

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\