Sign in Get started
Product · Architecture

Architecture & data flow.

Inspect in userspace, enforce in the kernel, keep the record on the appliance. Here's how the pieces fit.

DHCP Shield Pro deployment diagram Where the DHCP Shield Pro appliance sits in a customer network: DHCP clients relay requests through to the appliance, which forwards accepted traffic to the existing DHCP server. Optional, self-hosted or opt-in services (LLM backend, SIEM export, support channel) connect over dashed paths. LEGEND Solid — DHCP traffic, on-premises Dashed — optional · self-hosted or opt-in Admin browser operator workstation HTTPS — GUI & API DHCP requests (relayed) accepted traffic + replies, same path DHCP clients devices on the access network DHCP relay existing relay infrastructure DHCP Shield Pro APPLIANCE Inspection engine Kernel firewall (nftables) Database Web GUI Fail-open by design — if inspection stops, traffic passes. DHCP server your existing DHCP server (Kea, ISC, …) analysis requests event export outbound SSH OPTIONAL LLM backend self-hosted OpenAI API (llama.cpp) optional — runs on your infrastructure OPTIONAL SIEM / data export optional OPTIONAL Support channel opt-in, outbound only
Where the appliance sits — inline on the DHCP path between your relays and your DHCP server. Dashed paths are optional: self-hosted or opt-in.

Overview

Four planes

The appliance is built around four cooperating planes. Each does one job, and each can fail without taking the others — or your DHCP service — down with it.

01

Data plane — inspection

Reads every DHCPv4 and DHCPv6 exchange in full and extracts the fields that identify a client and its intent — message type, hardware address, vendor class, client identifier, and relay-agent information. This is where deep packet inspection happens, in userspace, where the full protocol can be parsed.

02

Enforcement plane — verdicts

Turns an inspection result into a kernel-level decision: accept, rate-limit, or drop. Because enforcement lives in the Linux kernel rather than a userspace proxy, it keeps pace with line-rate DHCP and adds negligible latency to legitimate traffic.

03

Analytics plane — the record

Stores every transaction in a high-throughput, on-appliance data store, pre-aggregates it for fast historical queries, and feeds the report builder, the network map, and the scheduled automation rules. This is the plane that answers "what happened, and why" after the fact.

04

Streaming plane — live view

Broadcasts transactions and alarms in real time to the operator display and to downstream pipelines, so operators can watch the network as it changes and route events into the tools they already run.

DHCP Shield Pro — integration into a telecom operator's OSS/BSS ecosystem The appliance (left, vertically centered) sits inline on the DHCP path (context strip, top). REST API and MCP provide bidirectional management and data with OSS orchestration and AI agents. The bundled green Vector agent module is the transport for both the alarming and logging group and the streaming destinations group, distributing to each in parallel. Below the OSS region, a solid BSS region provisions subscriber and location data into the appliance by push or pull; the subscriber and location service card is optional (dashed). All connectors are orthogonal. LEGEND Solid blue — DHCP traffic, on the wire (core path) Solid teal — OSS integration (management · alarms · telemetry) Solid gray — BSS integration (location) Dashed — optional component DHCP CORE PATH — CONTEXT DHCP clients / relay access network Shield Pro inline DHCP server (Kea, ISC, …) OSS — OPERATIONS SUPPORT SYSTEMS BSS — BUSINESS SUPPORT SYSTEMS DHCP Shield Pro APPLIANCE INTEGRATION INTERFACES REST API MCP server Alarm / notification dispatch Vector agent module · event & metric stream Location connector OSS orchestration provisioning · assurance AI agents & copilots via MCP MANAGEMENT & DATA · ⇄ manage the appliance, pull data, automate — both directions. ALARMING & LOGGING + many more Monitoring / NMS Syslog Splunk application logs & alarms STREAMING DESTINATIONS + many more Kafka AWS S3 Elasticsearch Splunk Datadog Loki NATS MQTT Prometheus Remote Write syslog Vector streams to every destination in parallel — 10 of 50+ shown; add more via Vector config, no appliance change. Subscriber / location services location data store OPTIONAL Location is always provisioned to the appliance — by BSS push or Shield pull.
How the appliance plugs into a telco's OSS/BSS ecosystem — bidirectional management and data over the REST API and MCP server, alarms and event/metric telemetry fanned out through the bundled Vector agent to the tools you already run, and an optional path that provisions subscriber/location data into the appliance from BSS.

Pipeline

How a DHCP packet flows

In the default inline deployment, every DHCP packet takes the same short path through the appliance before it reaches your DHCP server:

  1. 1

    A client sends a DHCP request. It arrives at the appliance, which sits on the path between your clients (or relays) and your DHCP server.

  2. 2

    The Linux kernel hands the DHCP packet up to the inspection engine. Non-DHCP traffic is never touched.

  3. 3

    The engine parses the packet in full, identifies the client, and decides what should happen to it — based on your rules, the client's current state, and any active enforcement.

  4. 4

    The engine returns a verdict. The kernel enforces it inline: the packet is accepted, rate-limited, or dropped.

  5. 5

    Independently of the verdict, the parsed transaction is recorded to the on-appliance store, streamed live to the operator display, and made available to downstream pipelines.

  6. 6

    Accepted packets continue to your DHCP server, which replies as normal. Scheduled automation later reviews the aggregated record and can escalate or relax enforcement on its own cadence.

The whole inspect-and-enforce step adds only a small, fixed cost per packet, and it applies only to DHCP — the protocol that needs watching, not your general network traffic.

Deployment

Deployment modes

01

Inline (default)

The appliance sits on the DHCP path and can enforce. This is the mode to plan for: full inspection plus the ability to block, deny, throttle, allow, or monitor live traffic. Recommended for production.

02

Mirrored (passive)

The appliance receives a copy of DHCP traffic from a switch mirror or SPAN port and observes only — full inspection, analytics, and detection, but no enforcement. A low-risk way to evaluate the product or monitor a network you don't want to sit in front of.

03

From remote sites

Lightweight agents at each remote site forward a copy of local DHCP traffic to a central appliance for inspection, giving you one pane of glass across many locations. Observation-only at the remote sites; pair it with an inline appliance at headquarters for enforcement where it counts.

Inline and observation modes can run side by side: enforce on your primary network while passively monitoring remote sites from the same appliance.

Mirrored (passive) deployment Live DHCP traffic flows clients to switch to DHCP server and never passes the appliance. The switch sends one-way mirrored copies down to the off-path appliance, which observes only. LEGEND Solid — live DHCP traffic, untouched Dashed — mirrored copies, one-way live DHCP traffic — never passes the appliance + replies, same path DHCP clients devices on the access network Switch your existing switch — mirror / SPAN port DHCP server your existing DHCP server (Kea, ISC, …) mirrored copies DHCP Shield Pro APPLIANCE OBSERVE ONLY Inspection engine Kernel firewall (nftables) Database Web GUI Observation only — full inspection, analytics, and detection. Enforcement actions are recorded, not applied.
Mirrored (passive) — the appliance sits off the path and only ever sees copies. Zero risk to the live DHCP service.
Deployment from remote sites Multiple remote sites forward one-way mirrored copies of DHCP traffic over the WAN or VPN to a single central appliance. Nothing flows back to the sites. LEGEND Dashed — mirrored copies, one-way over WAN / VPN Remote site A Clients + local DHCP Site agent captures DHCP, forwards copies (TZSP) Remote site B Clients + local DHCP Router with native TZSP mirror TZSP over UDP — one-way copies DHCP Shield Pro APPLIANCE CENTRAL — OBSERVE ONLY Collector (receives site copies) Inspection engine Database Web GUI Remote sites are observed only. Pair with an inline appliance at headquarters to enforce where it counts.
From remote sites — one-way TZSP copies over WAN or VPN into one central appliance. Nothing flows back to the sites.

Resilience

If inspection stops, DHCP keeps flowing

The most important property of an inline appliance is what happens when it fails. DHCP Shield Pro is built to fail open: if the inspection service is unavailable for any reason, the kernel passes DHCP packets straight through. Your clients keep getting leases and your DHCP server keeps answering — the appliance simply stops inspecting until it recovers.

That means your DHCP service never depends on the appliance staying up. Enforcement is something you add on top of a network that already works, not a single point of failure you bolt into the critical path. For the full picture of how the planes degrade independently, see the reliability and resilience notes under trust.

Storage

Where data lives

Data Where it's stored Retention
DHCP transactions On the appliance Configurable
Pre-aggregated traffic On the appliance Derived from transactions
Audit log (every change and enforcement action) On the appliance Indefinite by default, configurable
Active enforcement state Linux kernel Per-action defaults: Block 2 h · Deny indefinite · Throttle 24 h · Allow 30 d · Monitor 7 d

No telemetry leaves the appliance, and there is no mandatory phone-home. Nothing crosses your network boundary unless an operator explicitly opens a support session. For the full data-flow disclosure, see trust/data-flow.

Architecture & data flow.

Inspect in userspace, enforce in the kernel, keep the record on the appliance.

Talk to sales Read the install guide