• Download PDFs
• Understanding DHCP Snooping for Port Security on EX-series Switches  

• Related Topics
• Port Security for EX-series Switches Overview
• Understanding Trusted DHCP Servers for Port Security on EX-series Switches
• Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch
• Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch
• Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
• Enabling DHCP Snooping (CLI Procedure)
• Enabling DHCP Snooping (J-Web Procedure)

Understanding DHCP Snooping for Port Security on EX-series Switches

DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. When DHCP snooping is enabled, the system builds and maintains a database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping database.

DHCP Snooping Basics

Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically, “leasing” addresses to devices so that the addresses can be reused when no longer needed. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN. JUNOS for EX-series software provides the option to apply all access-port security features by VLAN or by port (interface).

DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port).

DHCP snooping reads the lease information from the switch (which is a DHCP client) and from this information creates the DHCP snooping database. This database is a mapping between IP address and VLAN-MAC pair. For each VLAN-MAC address pair, the database stores the corresponding IP address.

When a DHCP client releases an IP address (sends a DHCPRELEASE message), the associated mapping entry is deleted from the database.

You can configure the switch to snoop DHCP server responses only from particular VLANs. Doing this prevents spoofing of DHCP server messages.

By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping. You can modify these defaults on each of the switch's interfaces.

You configure DHCP snooping for each VLAN, not for each interface (port). By default, DHCP snooping is disabled for all VLANs.

If you move a network device from one VLAN to another, typically the device has to acquire a new IP address, so its entry in the database, including the VLAN ID, is updated.

The Ethernet switching process, ESWD, maintains the timeout (lease time) value for each IP-MAC binding in its database. The lease time is assigned by the DHCP server. The software reads the DHCP messages to obtain the lease time and deletes the associated entry from the database when the lease time expires.

If the switch is rebooted, DHCP bindings are lost. The DHCP clients (the network devices, or hosts) must reacquire the bindings.

DHCP Snooping Process

The basic process of DHCP snooping is shown in Figure 1.

Figure 1: DHCP Snooping

For general information about the messages that the DHCP client and DHCP server exchange during the assignment of an IP address for the client, see the JUNOS Software System Basics Configuration Guide at https://www.juniper.net/techpubs/software/junos/junos92/index.html.

DHCP Server Access

The DHCP server can be connected to the switch in one of two ways:

• The server is directly connected to the same switch as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). You must configure the port that connects the server to the switch as a trusted port.
• The server is directly connected to a switch that is itself directly connected through a trunk port to the switch that the DHCP clients are connected to. The trunk port is configured by default as a trusted port. The switch that the DHCP server is connected to is not configured for DHCP snooping.

In both scenarios, the server and clients are members of the same VLAN.

Figure 2 shows the DHCP server connected directly to the switch.

Figure 2: DHCP Server Connected to Switch

DHCP Snooping Table

The software creates a DHCP snooping information table that displays the content of the DHCP snooping database. The table shows current MAC address-IP address bindings, as well as lease time, type of binding, names of associated VLANs, and associated interface. To view the table, type show dhcp snooping binding at the operational mode prompt:

user@switch> show dhcp snooping binding

DHCP Snooping Information:
MAC address        IP address   Lease (seconds)  Type     VLAN      Interface

00:05:85:3A:82:77  192.0.2.17   600              dynamic  employee  ge-0/0/1.0

00:05:85:3A:82:79  192.0.2.18   653              dynamic  employee  ge-0/0/1.0

00:05:85:3A:82:80  192.0.2.19   720              dynamic  employee  ge-0/0/2.0

Note: If DHCP leases are sent from a DHCP server that is local (on the switch itself) or on a VLAN other than the one the DHCP client is on, those entries in the DHCP snooping table will be incorrect. They might display the interface as unknown (shown as “unknown” in the Interface column) or show the lease as unknown or unleased (both are represented by a dash, “–”, in the Lease column).

Static IP Address Additions to the DHCP Snooping Database

You can add specific static IP addresses to the database as well as have the addresses dynamically assigned through DHCP snooping. To add static IP addresses, you supply the IP address, the MAC address of the device, the interface on which the device is connected, and the VLAN with which the interface is associated. No lease time is assigned to the entry. The statically configured entry never expires.