Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

DHCP Snooping for Network Security

DHCP Snooping Support

DHCP snooping provides additional security by identifying the incoming DHCP packets and rejecting DHCP traffic determined to be unacceptable from untrusted devices in the network.

What is DHCP Snooping

DHCP allocates IP addresses dynamically, leasing addresses to devices so that the addresses can be reused when they are no longer needed by the devices to which they were assigned. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN.

DHCP snooping looks into incoming DHCP packets and examines DHCP messages. It extracts their IP addresses and lease information allocated to clients and builds up a database. Using this database, it can determine if the packets arriving are from the valid clients—that is—the IP addresses of the clients was assigned by the DHCP server. In this way, DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port).

Benefits of DHCP Snooping

  • DHCP snooping provides an extra layer of security via dynamic IP source filtering.

  • DHCP snooping can prevent rogue DHCP activity in the network by filtering out DHCP packets that are arriving on the wrong ports, or with incorrect contents.

Activating DHCP Snooping

When you are using the DHCP snooping feature, it is important that you understand about enabling the DHCP snooping feature.

On Junos OS device, you cannot configure DHCP snooping feature as an independent feature. Whenever you configure DHCP security or DHCP relay or DHCP server for a specific VLAN or interface or routing instance of the device, the DHCP snooping is automatically enabled on that VLAN/interface/routing instance to perform it’s task.

For example:

  • When you enable DHCP Relay on a given list of interfaces of a specific routing instance
  • DHCP snooping gets automatically enabled on those interfaces for that routing instance.
  • When you enable DHCP security on a specific VLAN, DHCP snooping gets automatically enabled on that VLAN.

Junos OS enables DHCP snooping on a switch/router/firewall in:

  • A routing instance when you configure the following options in that routing instance:

    • dhcp-relay statement at the [edit forwarding-options] hierarchy level.
    • dhcp-local-server statement at the [edit system services] hierarchy level.
  • A switch when you configure the following option for any port security features:

    • dhcp-security statement at the [edit vlans vlan-name forwarding-options] hierarchy level.
Tip:

If you need to configure DHCP relay, use the forward-only statement unless you need subscriber management or class-of-service (CoS).

We recommend you read the DHCP documentation and use a lab with DHCP traceoptions enabled to check and understand the configuration.

Configuring DHCP Snooping

In the default DHCP snooping configuration, all traffic is snooped.

On Junos OS device, DHCP snooping is enabled in a routing instance when you configure the following options in that routing instance:

  • dhcp-relay statement at the [edit forwarding-options] hierarchy level

  • dhcp-local-server statement at the [edit system services] hierarchy level

  • You can optionally use the forward-snooped-clients statement to evaluate the snooped traffic and to determine if the traffic is forwarded or dropped, based on whether or not the interface is configured as part of a group.

The router discards snooped packets by default if there is no subscriber associated with the packet. To enable normal processing of snooped packets, you must explicitly configure the allow-snooped-clients statement at the [edit forwarding-options dhcp-relay] hierarchy level.

You can configure DHCP snooping support for a specific routing instance for the following:

  • DHCPv4 relay agent—Override the router’s (or switch’s) default snooping configuration and specify that DHCP snooping is enabled or disabled globally, for a named group of interfaces, or for a specific interface within a named group.

    In a separate procedure, you can set a global configuration to specify whether the DHCPv4 relay agent forwards or drops snooped packets for all interfaces, only configured interfaces, or only nonconfigured interfaces. The router also uses the global DHCP relay agent snooping configuration to determine whether to forward or drop snooped BOOTREPLY packets. A renew request may be unicast directly to the DHCP server. This is a BOOTPREQUEST packet and is snooped.

  • DHCPv6 relay agent—As you can with snooping support for the DHCPv4 relay agent, you can override the default DHCPv6 relay agent snooping configuration on the router to explicitly enable or disable snooping support globally, for a named group of interfaces, or for a specific interface with a named group of interfaces.

    In multi-relay topologies where more than one DHCPv6 relay agent is between the DHCPv6 client and the DHCPv6 server, snooping enables intervening DHCPv6 relay agents between the client and the server to correctly receive and process the unicast traffic from the client and forward it to the server. The DHCPv6 relay agent snoops incoming unicast DHCPv6 packets by setting up a filter with UDP port 547 (the DHCPv6 UDP server port) on a per-forwarding table basis. The DHCPv6 relay agent then processes the packets intercepted by the filter and forwards the packets to the DHCPv6 server.

    Unlike the DHCPv4 relay agent, the DHCPv6 relay agent does not support global configuration of forwarding support for DHCPv6 snooped packets.

  • DHCP local server—Configure whether DHCP local server forwards or drops snooped packets for all interfaces, only configured interfaces, or only nonconfigured interfaces.

  • You can also disable snooping filters. In the preceding configurations, all DHCP traffic is forwarded to the slower routing plane of the routing instance before it is either forwarded or dropped. Disabling snooping filters causes DHCP traffic that can be forwarded directly from the faster hardware control plane to bypass the routing control plane.

Configuring DHCP Snooped Packets Forwarding Support for DHCP Local Server

You can configure how DHCP local server handles DHCP snooped packets. Depending on the configuration, DHCP local server either forwards or drops the snooped packets it receives.

Table 1 indicates the action the router takes for DHCP local server snooped packets.

Note:

Configured interfaces are those interfaces that have been configured with the group statement in the [edit system services dhcp-local-server] hierarchy. Non-configured interfaces are those that are in the logical system/routing instance but have not been configured by the group statement.

Table 1: Actions for DHCP Local Server Snooped Packets

forward-snooped-clients Configuration

Action on Configured Interfaces

Action on Non-Configured Interfaces

forward-snooped-clients not configured

dropped

dropped

all-interfaces

forwarded

forwarded

configured-interfaces

forwarded

dropped

non-configured-interfaces

dropped

forwarded

To configure DHCP snooped packet forwarding for DHCP local server:

  1. Specify that you want to configure DHCP local server.
  2. Enable DHCP snooped packet forwarding for DHCP local server.
  3. Specify the interfaces that are supported for snooped packet forwarding.

For example, to configure DHCP local server to forward DHCP snooped packets on only configured interfaces:

Enabling and Disabling DHCP Snooped Packets Support for DHCP Relay Agent

DHCP relay agent uses a two-part configuration to determine how to handle DHCP snooped packets. This topic describes the first procedure, in which you enable or disable snooping support for DHCP relay agent and, optionally, override the default snooping configuration.

The second procedure, which applies only to DHCPv4 relay agent, is described in Configuring DHCP Snooped Packets Forwarding Support for DHCP Relay Agent, and configures the forwarding action for snooped clients, which specifies whether DHCP relay agent forwards or drops snooped traffic.

You can enable or disable DHCP globally for DHCP relay, for a group of interfaces, or for a specific interface in a group.

By default, DHCP snooping is enabled for DHCP relay. To enable or disable DHCP snooping support globally:

  1. Specify that you want to configure DHCP relay agent.
    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  2. Specify that you want to override the default configuration.
    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  3. Enable or disable DHCP snooping support.
    • To enable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

    • To disable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

For example, to enable global DHCP snooping support :

To enable or disable DHCP snooping support for a group of interfaces:

  1. Specify that you want to configure DHCP relay agent.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  2. Specify the named group.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  3. Specify that you want to override the default configuration.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  4. Enable or disable DHCP snooping support.

    • To enable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

    • To disable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

For example, to enable DHCP snooping support on all interfaces in group boston:

To enable or disable DHCP snooping support on a specific interface:

  1. Specify that you want to configure DHCP relay agent.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  2. Specify the named group containing the interface.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  3. Specify the interface for which you want to configure DHCP snooping.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  4. Specify that you want to override the default configuration on the interface.

    • For DHCP relay agent:

    • For DHCPv6 relay agent:

  5. Enable or disable DHCP snooping support.

    • To enable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

    • To disable DHCP snooping:

      • For DHCP relay agent:

      • For DHCPv6 relay agent:

For example, to disable DHCP snooping support on interface ge-2/1/8.0 in group boston:

To enable DHCPv6 snooping support on interface ge-3/2/1.1 in group sunnyvale:

Configuring DHCP Snooped Packets Forwarding Support for DHCP Relay Agent

You can configure how DHCP relay agent handles DHCP snooped packets. Depending on the configuration, DHCP relay agent either forwards or drops the snooped packets it receives.

DHCP relay uses a two-part configuration to determine how to handle DHCP snooped packets. This topic describes how you use the forward-snooped-clients statement to manage whether DHCP relay agent forwards or drops snooped packets, depending on the type of interface on which the packets are snooped. In the other part of the DHCP relay agent snooping configuration, you enable or disable the DHCP relay snooping feature.

Table 2 shows the action the router or switch takes on snooped packets when DHCP snooping is enabled by the allow-snooped-clients statement.

The router or switch also uses the configuration of the DHCP relay agent forwarding support to determine how to handle snooped BOOTREPLY packets.

Table 2: Actions for DHCP Relay Agent Snooped Packets When DHCP Snooping Is Enabled

forward-snooped-clients Configuration

Action on Configured Interfaces

Action on Non-Configured Interfaces

forward-snooped-clients not configured

snooped packets result in subscriber (DHCP client) creation

dropped

all-interfaces

forwarded

forwarded

configured-interfaces

forwarded

dropped

non-configured-interfaces

snooped packets result in subscriber (DHCP client) creation

forwarded

Table 3 shows the action the router (or switch) takes on snooped packets when DHCP snooping is disabled by the no-allow-snooped-clients statement.

Table 3: Actions for DHCP Relay Agent Snooped Packets When DHCP Snooping Is Disabled

forward-snooped-clients Configuration

Action on Configured Interfaces

Action on Non-Configured Interfaces

forward-snooped-clients not configured

dropped

dropped

all-interfaces

dropped

forwarded

configured-interfaces

dropped

dropped

non-configured-interfaces

dropped

forwarded

Table 4 shows the action the router (or switch) takes for the snooped BOOTREPLY packets.

Table 4: Actions for Snooped BOOTREPLY Packets

forward-snooped-clients Configuration

Action

forward-snooped-clients not configured

snooped BOOTREPLY packets dropped if client is not found

forward-snooped-clients all configurations

snooped BOOTREPLY packets forwarded if client is not found

Configured interfaces have been configured with the group statement in the [edit forwarding-options dhcp-relay] hierarchy. Non-configured interfaces are in the logical system/routing instance but have not been configured by the group statement.

To configure DHCP snooped packet forwarding and BOOTREPLY snooped packet forwarding for DHCP relay agent:

  1. Specify that you want to configure DHCP relay agent.
  2. Enable DHCP snooped packet forwarding.
  3. Specify the interfaces that are supported for snooped packet forwarding.

For example, to configure DHCP relay agent to forward DHCP snooped packets on only configured interfaces:

Disabling DHCP Snooping Filters

DHCP snooping provides DHCP security by identifying incoming DHCP packets. In the default DHCP snooping configuration, all traffic is snooped. You can optionally use the forward-snooped-clients statement to evaluate the snooped traffic and to determine whether the traffic is forwarded or dropped, based on whether or not the interface is configured as part of a group.

In both the default configuration and in configurations using the forward-snooped-clients statement, all DHCP traffic is forwarded from the hardware control plane to the routing plane of the routing instance to ensure that all DHCP packets are intercepted. In certain topologies, such as a Metropolitan Routing Ring topology, forwarding all DHCP traffic to the control plane can result in excessive traffic. The no-snoop configuration statement disables the snooping filter for DHCP traffic that can be directly forwarded on the hardware control plane, such as Layer 3 unicast packets with a valid route, causing those DHCP packets to bypass the slower routing plane. You can disable DHCP snooping filters starting in Junos OS Release 15.1R2.

To disable DHCP snooping filters on the DHCP local server:

  1. Specify that you want to configure DHCP local server.
  2. Disable DHCP snooping filters for DHCP local server.
  3. Specify that you want to configure DHCPv6 local server.
  4. Disable DHCP snooping filters for DHCPv6 local server.

To disable DHCP snooping filters on the DHCP relay server:

  1. Specify that you want to configure DHCP relay server.

  2. Disable DHCP snooping filters for DHCP local server.

  3. Specify that you want to configure DHCPv6 relay server.

  4. Disable DHCP snooping filters for DHCPv6 local server.

Example: Configuring DHCP Snooping Support for DHCP Relay Agent

This example shows how to configure DHCP snooping support for DHCP relay agent.

Requirements

Overview

In this example, you configure DHCP snooping support for DHCP relay agent by completing the following operations:

  • Override the default DHCP snooping configuration and enable DHCP snooping support for the interfaces in group frankfurt.

  • Configure DHCP relay agent to forward snooped packets to only configured interfaces.

Configuration

Procedure

Step-by-Step Procedure

To configure DHCP relay support for DHCP snooping:

  1. Specify that you want to configure DHCP relay agent.

  2. Specify the named group of interfaces on which DHCP snooping is supported.

  3. Specify the interfaces that you want to include in the group. DHCP relay agent considers these as the configured interfaces when determining whether to forward or drop traffic.

  4. Specify that you want to override the default configuration for the group.

  5. Enable DHCP snooping support for the group.

  6. Return to the [edit forwarding-options dhcp-relay] hierarchy level to configure the forwarding action and specify that DHCP relay agent forward snooped packets on only configured interfaces:

  7. Enable DHCP snooped packet forwarding for DHCP relay agent.

  8. Specify that snooped packets are forwarded on only configured interfaces (the interfaces in group frankfurt).

Results

From configuration mode, confirm your configuration by entering the show forwarding-options command. If the output does not display the intended configuration, repeat the instructions in this example to correct it. The following output also shows a range of configured interfaces in group frankfurt.

If you are done configuring the device, enter commit from configuration mode.

Example: Enabling DHCP Snooping Support for DHCPv6 Relay Agent

Snooping support for DHCPv6 relay agent is disabled on the router by default. This example shows how to override the default DHCPv6 relay agent snooping configuration to explicitly enable DHCPv6 snooping for a named group of interfaces and for a specific interface within a different named group.

Note:

You can also enable DHCPv6 snooping support globally by using the allow-snooped-clients statement at the [edit forwarding-options dhcp-relay dhcpv6 overrides] hierarchy level.

Requirements

This example uses the following hardware and software components:

  • MX Series 5G Universal Routing Platforms

  • Junos OS Release 12.1 or later

Before you begin:

Overview

In this example, you override the default DHCPv6 relay agent snooping configuration to explicitly enable DHCP snooping for both of the following:

  • All of the interfaces in the group named boston

  • Interface ge-3/2/1.1 in the group named sunnyvale

Configuration

To override the default DHCPv6 relay agent snooping configuration to explicitly enable DHCPv6 snooping for a named group of interfaces and for a specific interface within a named group, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Enabling DHCPv6 Snooping Support for a Named Group of Interfaces

Step-by-Step Procedure

To enable DHCPv6 snooping support for a named group of interfaces:

  1. Specify that you want to configure DHCPv6 relay agent.

  2. Specify the named group of interfaces for which you want to enable DHCPv6 snooping.

  3. Specify that you want to override the default DHCPv6 configuration for the interfaces in that group.

  4. Enable DHCPv6 snooping support for all interfaces in group boston.

Results

From configuration mode, confirm the results of your configuration by issuing the show statement at the [edit forwarding-options dhcp-relay] hierarchy level. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the router, enter commit from configuration mode.

Enabling DHCPv6 Snooping Support for a Specific Interface in a Named Group

Step-by-Step Procedure

To enable DHCPv6 snooping support for a specific interface within a named group of interfaces:

  1. Return to the [edit forwarding-options dhcp-relay dhcpv6] hierarchy level to specify that you want to configure DHCPv6 relay agent.

  2. Specify the named group containing the interface.

  3. Specify the interface in group sunnyvale for which you want to enable DHCPv6 snooping.

  4. Specify that you want to override the default DHCPv6 configuration for interface ge-3/2/1.1 in group sunnyvale.

  5. Enable DHCPv6 snooping support for interface ge-3/2/1.1 in group sunnyvale.

Results

From configuration mode, confirm the results of your configuration by issuing the show statement at the [edit forwarding-options dhcp-relay] hierarchy level. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the router, enter commit from configuration mode.

Verification

To verify the DHCPv6 configuration in a multi-relay topology, perform this task:

Verifying the Address Bindings for DHCPv6 Relay Agent Clients

Purpose

Verify the DHCPv6 address bindings in the Dynamic Host Configuration Protocol (DHCP) client table.

Action

Display detailed information about address bindings for DHCPv6 relay agent clients.

Meaning

The Server Address field in the show dhcpv6 relay binding detail command output typically displays the IP address of the DHCPv6 server. In this example, the value unknown in the Server Address field indicates that this is a multi-relay topology in which the DHCPv6 relay agent is not directly adjacent to the DHCPv6 server, and does not detect the IP address of the server.

In that case, the output instead includes the Next Hop Server Facing Relay field, which displays the next-hop address in the direction of the DHCPv6 server.

Preventing DHCP Spoofing

A problem that sometimes occurs with DHCP is DHCP spoofing. In DHCP spoofing, an untrusted client floods a network with DHCP messages. Often these attacks utilize source IP address spoofing to conceal the true source of the attack.

DHCP snooping helps prevent DHCP spoofing by copying DHCP messages to the control plane and using the information in the packets to create anti-spoofing filters. The anti-spoofing filters bind a client’s MAC address to its DHCP-assigned IP address and use this information to filter spoofed DHCP messages. In a typical topology, a carrier edge router (in this function also referred to as the broadband network gateway [BNG]) connects the DHCP server and the MX Series router (or broadband services aggregator [BSA]) performing the snooping. The MX Series router connects to the client and the BNG.

To configure DHCP snooping, you include the appropriate interfaces within a DHCP group. You can configure DHCP snooping for VPLS environments and bridge domains.

  • In a VPLS environment, DHCP requests are forwarded over pseudowires. You configure DHCP snooping over VPLS at the [edit routing-instances routing-instance-name] hierarchy level.

  • In bridge domains, DHCP snooping works on a per learning bridge basis. Each learning domain must have an upstream interface configured. This interface acts as the flood port for DHCP requests coming from the client side. DHCP requests are forwarded across learning domains in a bridge domain. You configure DHCP snooping on bridge domains at the [edit routing-instances routing-instance-name bridge-domains bridge-domain-name] hierarchy level.

To configure DHCP relay to prevent DHCP spoofing:

  1. Access the appropriate hierarchy for either a VPLS or bridge domain configuration.
  2. Specify that you want to configure DHCP relay.
  3. Create the group and assign a name.

  4. Specify the names of one or more interfaces. DHCP will trust only the MAC addresses learned on the specified interfaces.
Note:

You can explicitly enable and disable interface support for DHCP snooped clients. See Enabling and Disabling DHCP Snooped Packets Support for DHCP Relay Agent.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1R2
You can disable DHCP snooping filters starting in Junos OS Release 15.1R2.