When DHCP snooping is enabled, the switch uses the DHCP snooping binding
database to store information about untrusted interfaces. The database can have
up to 8192 bindings.
Note |
DHCP snooping database read event will not retrieve entries for 10G and PC interface
|
Each database entry (binding ) has an IP address, an associated
MAC address, the lease time (in hexadecimal format), the interface to which the
binding applies, and the bridge-domain to which the interface belongs. The
database agent stores the bindings in a file at a configured location. At the
end of each entry is a
checksum value that accounts for all the bytes associated with the
entry. Each entry is 72 bytes, followed by a space and then the checksum value.
To keep the bindings when the switch reloads, you must use the DHCP
snooping database agent. If the agent is disabled, dynamic ARP inspection, and
the DHCP snooping binding database has dynamic bindings, the switch loses its
connectivity. If the agent is disabled and only DHCP snooping is enabled, the
switch does not lose its connectivity, but DHCP snooping might not prevent DHCP
spoofing attacks.
When reloading, the router reads the binding file to build the DHCP
snooping binding database. The switch keeps the file current by updating it
when the database changes.
When a router learns of new bindings or when it loses bindings, the
router immediately updates the entries in the database. The router also updates
the entries in the binding file. The frequency at which the file is updated is
based on a configurable delay, and the updates are batched. If the file is not
updated in a specified time (set by the write-delay and abort-timeout values),
the update stops.
This is the format of the file that has the bindings:
<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END
Each entry in the file is tagged with a checksum value that the router
uses to verify the entries when it reads the file. The
initial-checksum entry on the first line distinguishes entries
associated with the latest file update from entries associated with a previous
file update.
This is an example of a binding file:
2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E Fa1/0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Fa1/0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Fa1/0/4 584a38f0
END
When the router starts and the calculated checksum value equals the
stored checksum value, the router reads entries from the binding file and adds
the bindings to its DHCP snooping binding database. The router ignores an entry
when one of these situations occurs:
- The router reads the entry
and the calculated checksum value does not equal the stored checksum value. The
entry and the ones following it are ignored.
- An entry has an expired
lease time (the router might not remove a binding entry when the lease time
expires).
- The interface in the entry
no longer exists on the system.
- The interface is a routed interface or a DHCP snooping-trusted
interface.