기술 문서

DHCP Snooping on the Layer-3 switches


This document explains issue that the customer may encounter if the DHCP snooping is enabled on the Layer-3 switches.

This document is applicable to all the Dell networking switches.



Overview:

DHCP snooping is a security feature that builds the binding table using DHCPACK message. The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE

Topology:

DHCP Snooping on the Layer-3 switches with redundant links:

In the above topology, the ARP for the host 10.0.0.100 is learned on the VLAN 10 through the Layer-2 interface Te 0/1.

Dell# show arp ip 10.0.0.100

Protocol Address Age(min) Hardware Address Interface VLAN CPU

----------------------------------------------------------------------------------------

Internet 10.0.0.100 9 00:00:00:ab:cd:ef Te 0/1 Vl 10 CP

If the DHCP snooping is enabled, the switch will capture the DHCP messages from the host and build the DHCP snooping binding table.

Dell#show ip dhcp snooping binding

Codes : S - Static D - Dynamic

IP Address MAC Address Expires(Sec) Type VLAN Interface

====================================================

10.0.0.100 00:00:00:ab:cd:ef 86008 D Vl 10 Te 0/1

This binding will internally created a static ARP for the host as below.

Dell#Show _arp

Vrf-ID:0 Owner:0 Clients:0 Service:0x2 Asked:0IsMgid:0Mgid:0

Internet 10.0.0.100 - 00:00:00:ab:cd:ef Te 0/1 Vl 10

As mentioned earlier, the DHCP binding table will get cleared only when when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE. The interface failure will not clear the binding table.

If the interface Te 0/1 goes down, the ARP will be moved to VLAN 10 – Te 0/2.

Dell# show arp ip 10.0.0.100

Protocol Address Age(min) Hardware Address Interface VLAN CPU

----------------------------------------------------------------------------------------

Internet 10.0.0.100 0 00:00:00:ab:cd:ef Te 0/2 Vl 10 CP

Though the ARP and MAC for the host are moved to a different interface (Te 0/2), the binding table and internal ARP entry will continue to point to Te 0/1 untill the host release the IP or lease time expires.

Due the mismatch betweem the regular and internal ARP table, this entry will not be writted on the FIB and CAM tables.

Dell# show arp ip 10.0.0.100

Protocol Address Age(min) Hardware Address Interface VLAN CPU

----------------------------------------------------------------------------------------

Internet 10.0.0.100 0 00:00:00:ab:cd:ef Te 0/2 Vl 10 CP

Dell#show _arp

Vrf-ID:0 Owner:0 Clients:0 Service:0x2 Asked:0IsMgid:0Mgid:0

Internet 10.0.0.100 - 00:00:00:ab:cd:ef Te 0/1 Vl 10

Dell#show ip fib stack-unit 0 10.0.0.100/32

<empty>

Dell#

Since the CAM table is not updated, all the layer-3 packets destined to the host (10.0.0.100) will be soft switched. This behavior will cause the high latency and CPU overload.

Recommendation:

In the network with redundant links where the host move is expected between the interfaces, it is recommended to configure the DHCP snooping only on the Layer-2 switches.


Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

문서 ID: SLN294422

최종 수정일: 11/20/2014 02:43 PM


이 문서 평가하기

정확함
유용함
이해하기 쉬운
이 문서가 도움이 되셨나요?
지원 미지원
피드백을 보내 주십시오.
의견에는 <>()\와 같은 특수 문자를 사용할 수 없습니다.
죄송합니다. 현재 피드백 시스템은 사용하실 수 없습니다. 잠시 후에 다시 시도하십시오.

피드백을 보내주셔서 감사합니다.