DHCP Snooping
DHCP snooping on Junos OS device validates DHCP messages and drops invalid traffic. You can configure how DHCP relay agent handles DHCP snooped packets. Depending on the configuration, DHCP relay agent either forwards or drops the snooped packets it receives. For more information, read this topic.
DHCP Snooping Support
DHCP snooping provides additional security by identifying the incoming DHCP packets and rejecting DHCP traffic determined to be unacceptable from untrusted devices in the network.
What is DHCP Snooping
DHCP allocates IP addresses dynamically, leasing addresses to devices so that the addresses can be reused when they are no longer needed by the devices to which they were assigned. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.
DHCP snooping looks into incoming DHCP packets and examines DHCP messages. It extracts their IP addresses and lease information allocated to clients and builds up a database. Using this database, it can determine if the packets arriving are from the valid clients—that is—the IP addresses of the clients was assigned by the DHCP server. In this way, DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port).
Benefits of DHCP Snooping
DHCP snooping provides an extra layer of security via dynamic IP source filtering.
DHCP snooping can prevent rogue DHCP activity in the network by filtering out DHCP packets that are arriving on the wrong ports, or with incorrect contents.
Activating DHCP Snooping
When you are using the DHCP snooping feature, it is important that you understand about enabling the DHCP snooping feature.
On Junos OS device, you cannot configure DHCP snooping feature as an independent feature. Whenever you configure DHCP security or DHCP relay or DHCP server for a specific VLAN or interface or routing instance of the device, the DHCP snooping is automatically enabled on that VLAN/interface/routing instance to perform it’s task.
For example:
- When you enable DHCP Relay on a given list of interfaces of a specific routing instance
- DHCP snooping gets automatically enabled on those interfaces for that routing instance.
- When you enable DHCP security on a specific VLAN, DHCP snooping gets automatically enabled on that VLAN.
Junos OS enables DHCP snooping on a switch/router/firewall in:
-
A routing instance when you configure the following options in that routing instance:
dhcp-relaystatement at the [edit forwarding-options] hierarchy level.dhcp-local-serverstatement at the [edit system services] hierarchy level.
-
A switch when you configure the following option for any port security features:
dhcp-securitystatement at the [edit vlans vlan-name forwarding-options] hierarchy level.
If you need to configure DHCP relay, use the forward-only
statement unless you need subscriber management or class-of-service (CoS).
We recommend you read the DHCP documentation and use a lab with DHCP traceoptions enabled to check and understand the configuration.
Configuring DHCP Snooping
In the default DHCP snooping configuration, all traffic is snooped.
On Junos OS device, DHCP snooping is enabled in a routing instance when you configure the following options in that routing instance:
dhcp-relaystatement at the[edit forwarding-options]hierarchy leveldhcp-local-serverstatement at the[edit system services]hierarchy levelYou can optionally use the
forward-snooped-clientsstatement to evaluate the snooped traffic and to determine if the traffic is forwarded or dropped, based on whether or not the interface is configured as part of a group.
The router discards snooped packets by default if there is no
subscriber associated with the packet. To enable normal processing
of snooped packets, you must explicitly configure the allow-snooped-clients statement at the [edit forwarding-options dhcp-relay] hierarchy level.
You can configure DHCP snooping support for a specific routing instance for the following:
DHCPv4 relay agent—Override the router’s (or switch’s) default snooping configuration and specify that DHCP snooping is enabled or disabled globally, for a named group of interfaces, or for a specific interface within a named group.
In a separate procedure, you can set a global configuration to specify whether the DHCPv4 relay agent forwards or drops snooped packets for all interfaces, only configured interfaces, or only nonconfigured interfaces. The router also uses the global DHCP relay agent snooping configuration to determine whether to forward or drop snooped BOOTREPLY packets. A renew request may be unicast directly to the DHCP server. This is a BOOTPREQUEST packet and is snooped.
DHCPv6 relay agent—As you can with snooping support for the DHCPv4 relay agent, you can override the default DHCPv6 relay agent snooping configuration on the router to explicitly enable or disable snooping support globally, for a named group of interfaces, or for a specific interface with a named group of interfaces.
In multi-relay topologies where more than one DHCPv6 relay agent is between the DHCPv6 client and the DHCPv6 server, snooping enables intervening DHCPv6 relay agents between the client and the server to correctly receive and process the unicast traffic from the client and forward it to the server. The DHCPv6 relay agent snoops incoming unicast DHCPv6 packets by setting up a filter with UDP port 547 (the DHCPv6 UDP server port) on a per-forwarding table basis. The DHCPv6 relay agent then processes the packets intercepted by the filter and forwards the packets to the DHCPv6 server.
Unlike the DHCPv4 relay agent, the DHCPv6 relay agent does not support global configuration of forwarding support for DHCPv6 snooped packets.
DHCP local server—Configure whether DHCP local server forwards or drops snooped packets for all interfaces, only configured interfaces, or only nonconfigured interfaces.
You can also disable snooping filters. In the preceding configurations, all DHCP traffic is forwarded to the slower routing plane of the routing instance before it is either forwarded or dropped. Disabling snooping filters causes DHCP traffic that can be forwarded directly from the faster hardware control plane to bypass the routing control plane.
Example: Configuring DHCP Snooping Support for DHCP Relay Agent
This example shows how to configure DHCP snooping support for DHCP relay agent.
Requirements
Configure DHCP relay agent. See Extended DHCP Relay Agent Overview.
Overview
In this example, you configure DHCP snooping support for DHCP relay agent by completing the following operations:
Override the default DHCP snooping configuration and enable DHCP snooping support for the interfaces in group frankfurt.
Configure DHCP relay agent to forward snooped packets to only configured interfaces.
Configuration
Procedure
Step-by-Step Procedure
To configure DHCP relay support for DHCP snooping:
Specify that you want to configure DHCP relay agent.
[edit] user@host# edit forwarding-options dhcp-relay
Specify the named group of interfaces on which DHCP snooping is supported.
[edit forwarding-options dhcp-relay] user@host# edit group frankfurt
Specify the interfaces that you want to include in the group. DHCP relay agent considers these as the configured interfaces when determining whether to forward or drop traffic.
[edit forwarding-options dhcp-relay group frankfurt] user@host# set interface fe-1/0/1.3 upto fe-1/0/1.9
Specify that you want to override the default configuration for the group.
[edit forwarding-options dhcp-relay group frankfurt] user@host# edit overrides
Enable DHCP snooping support for the group.
[edit forwarding-options dhcp-relay group frankfurt overrides] user@host# set allow-snooped-clients
Return to the
[edit forwarding-options dhcp-relay]hierarchy level to configure the forwarding action and specify that DHCP relay agent forward snooped packets on only configured interfaces:[edit forwarding-options dhcp-relay group frankfurt overrides] user@host# up 2
Enable DHCP snooped packet forwarding for DHCP relay agent.
[edit forwarding-options dhcp-relay] user@host# edit forward-snooped-clients
Specify that snooped packets are forwarded on only configured interfaces (the interfaces in group
frankfurt).[edit forwarding-options dhcp-relay forward-snooped-clients] user@host# set configured-interfaces
Results
From configuration mode, confirm your configuration
by entering the show forwarding-options command. If the
output does not display the intended configuration, repeat the instructions
in this example to correct it. The following output also shows a range
of configured interfaces in group frankfurt.
[edit]
user@host# show forwarding-options
dhcp-relay {
forward-snooped-clients configured-interfaces;
group frankfurt {
overrides {
allow-snooped-clients;
}
interface fe-1/0/1.3 {
upto fe-1/0/1.9;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring DHCP Snooped Packets Forwarding Support for DHCP Relay Agent
You can configure how DHCP relay agent handles DHCP snooped packets. Depending on the configuration, DHCP relay agent either forwards or drops the snooped packets it receives.
DHCP relay uses a two-part configuration to determine how to
handle DHCP snooped packets. This topic describes how you use the forward-snooped-clients statement to manage whether DHCP relay agent forwards or drops
snooped packets, depending on the type of interface on which the packets
are snooped. In the other part of the DHCP relay agent snooping configuration,
you enable or disable the DHCP relay snooping feature.
Table 1 shows the
action the router or switch takes on snooped packets when DHCP snooping
is enabled by the allow-snooped-clients statement.
The router or switch also uses the configuration of the DHCP relay agent forwarding support to determine how to handle snooped BOOTREPLY packets.
forward-snooped-clients Configuration |
Action on Configured Interfaces |
Action on Non-Configured Interfaces |
|---|---|---|
|
snooped packets result in subscriber (DHCP client) creation |
dropped |
|
forwarded |
forwarded |
|
forwarded |
dropped |
|
snooped packets result in subscriber (DHCP client) creation |
forwarded |
Table 2 shows the
action the router (or switch) takes on snooped packets when DHCP snooping
is disabled by the no-allow-snooped-clients statement.
forward-snooped-clients Configuration |
Action on Configured Interfaces |
Action on Non-Configured Interfaces |
|---|---|---|
|
dropped |
dropped |
|
dropped |
forwarded |
|
dropped |
dropped |
|
dropped |
forwarded |
Table 3 shows the action the router (or switch) takes for the snooped BOOTREPLY packets.
forward-snooped-clients Configuration |
Action |
|---|---|
|
snooped BOOTREPLY packets dropped if client is not found |
|
snooped BOOTREPLY packets forwarded if client is not found |
Configured interfaces have been configured with the group statement in the [edit forwarding-options
dhcp-relay] hierarchy. Non-configured interfaces are in the
logical system/routing instance but have not been configured by the group statement.
To configure DHCP snooped packet forwarding and BOOTREPLY snooped packet forwarding for DHCP relay agent:
For example, to configure DHCP relay agent to forward DHCP snooped packets on only configured interfaces:
[edit]
forwarding-options {
dhcp-relay {
forward-snooped-clients configured-interfaces;
}
}