DHCP Snooping Configuration
DHCP Snooping monitors DHCP-REQUEST and trusted port received DHCP-ACK messages, recording DHCP Snooping entries including client MAC addresses, assigned IP addresses, VLANs, and other information.
Explanation of Principles
Section titled “Explanation of Principles”Trusted Ports for DHCP Snooping
Section titled “Trusted Ports for DHCP Snooping”When DHCP Snooping is enabled, devices forward DHCP client’s DHCP request messages through trusted ports to legitimate DHCP servers, and the device generates Snooping Binding Table (SNP) entries based on the DHCP ACK response from the server.
DHCP Snooping categorizes ports into two security levels, and they are handled differently upon receiving DHCP messages:
- Trusted Ports: Trusted ports receiving DHCP ACK messages from DHCP servers generate SNP entries based on the contents of the messages.
- Untrusted Ports: Untrusted ports only forward DHCP ACK messages from DHCP servers and do not generate SNP entries.
DHCP Snooping Table
Section titled “DHCP Snooping Table”SNP entries contain information such as VLAN, MAC, IP, INTERFACE, etc. These entries are recorded by monitoring DHCP-ACK messages received through trusted ports. The entries are removed based on DHCP Release messages received on ports with DHCP Snooping enabled. Since the DHCP Snooping binding table records the correspondence between DHCP client IP addresses and MAC addresses, this information enables the following functionalities:
- Dynamic ARP Inspection (DAI): DAI uses DHCP Snooping entries to determine the legitimacy of the user sending ARP packets, thus preventing ARP attacks from unauthorized users.
- Source Address Validation Improvement (SAVI): SAVI uses DHCP Snooping entries to validate the legitimacy of users sending ND (Neighbor Discovery) packets, preventing ND attacks from unauthorized users.
- IP Source Guard (IPSG): IPSG filters IP packets on ports dynamically obtained from the DHCP Snooping table, preventing unauthorized packets from passing through those ports.
- MAC-scan: Based on DHCP Snooping entries, a scan can be initiated on terminal devices listed in the table to detect their online status.
DHCP Snooping Configuration
Section titled “DHCP Snooping Configuration”| Configure Tasks | Instructions |
|---|---|
| Enable DHCP Snooping | Required |
| Configure port as trust state | Required |
Enabling DHCP Snooping Function
Section titled “Enabling DHCP Snooping Function”Enabling the DHCP Snooping function requires a two-step process: first, enabling the global DHCP Snooping functionality, and then enabling DHCP Snooping for specific interfaces or VLANs.
| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enable DHCP Snooping | dhcp snooping enable{v4|v6} | |
| Enter the corresponding view | Interface View interface ethernet interface-id VLAN View vlan ID | |
| Enable DHCP Snooping | dhcp-snooping enable |
Configuring Ports as Trusted
Section titled “Configuring Ports as Trusted”To ensure that the device generates SNP entries only for DHCP ACK packets received from legitimate DHCP servers, you need to set the interfaces connected directly or indirectly to trusted DHCP servers as trusted interfaces. Other interfaces should be set as untrusted interfaces. This guarantees that, after enabling the respective security features, only terminals that obtain IP addresses from legitimate DHCP servers can access the network, preventing unauthorized access from self-deployed DHCP servers.
| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the corresponding view | Interface View interface ethernet interface-id VLAN View vlan ID | |
| Configure ports as trusted | dhcp-snooping trusted |
Display and Maintenance
Section titled “Display and Maintenance”| Operation | Command | Description |
|---|---|---|
| Display DHCP Snooping related configurations | show dhcp snooping config | |
| Display DHCP Snooping table | show snooping table |
Configuration Example
Section titled “Configuration Example”Network requirements
A company wants to assign IP addresses to terminals in the network through a DHCP server in order to facilitate management, and at the same time needs to prohibit users from accessing the network through statically configured IP addresses.
Procedure
- Create VLAN 100 and configure the IP address
sonic(config)# vlan 100sonic(config)# interface ethernet 1sonic(config-if-1)# switchport access vlan 100sonic(config)# interface ethernet 2sonic(config-if-2)# switchport access vlan 100sonic(config)# interface vlan 100sonic(config-vlanif-100)# ip address 10.1.2.1/24- Enable DHCP relay function
sonic(config)# dhcp-relay test v4sonic(config-dhcp-relay-test__v4)# down_link interface vlan 100sonic(config-dhcp-relay-test__v4)# up_link interface 5sonic(config-dhcp-relay-test__v4)# server_ip 10.10.1.1sonic(config-dhcp-relay-test__v4)# loopback_interface loopback 0sonic(config-dhcp-relay-test__v4)# exit- Enabling DHCP Snooping
sonic(config)# dhcp snooping enablesonic(config)# interface vlan 100sonic(config-vlanif-100)# dhcp-snooping enable- Configure the interface to which the DHCP Server is connected as a trusted port
sonic(config)# interface ethernet 5sonic(config-if-5)# dhcp-snooping enablesonic(config-if-5)# dhcp-snooping trusted- Enables DAI and IPSG to check the legitimacy of user messages
sonic(config)# interface vlan 100sonic(config-vlanif-100)# ipv4-source-check enablesonic(config-vlanif-100)# arp anti-attack-check enableVerify configuration
- Check the obtained IP address on the user’s PC.
- Modify the IP address on the user’s PC to a static configuration, ping the external network address and the PC’s gateway address, respectively, The ping operation Failed.
- View the packet loss statistics of the security features on the device.
sonic# show user-bind counterInterface Drop Packets----------- --------------Vlan100 4028