DHCP Snooping Configuration

introduction introduction dhcp snooping monitors dhcp request and trusted port received dhcp ack messages, recording dhcp snooping entries including client mac addresses, assigned ip addresses, vlans, and other information explanation of principles explanation of principles trusted ports for dhcp snooping trusted ports for dhcp snooping when dhcp snooping is enabled, devices forward dhcp client's dhcp request messages through trusted ports to legitimate dhcp servers, and the device generates snooping binding table (snp) entries based on the dhcp ack response from the server dhcp snooping categorizes ports into two security levels, and they are handled differently upon receiving dhcp messages trusted ports trusted ports receiving dhcp ack messages from dhcp servers generate snp entries based on the contents of the messages untrusted ports untrusted ports only forward dhcp ack messages from dhcp servers and do not generate snp entries dhcp snooping table dhcp snooping table snp entries contain information such as vlan, mac, ip, interface, etc these entries are recorded by monitoring dhcp ack messages received through trusted ports the entries are removed based on dhcp release messages received on ports with dhcp snooping enabled since the dhcp snooping binding table records the correspondence between dhcp client ip addresses and mac addresses, this information enables the following functionalities dynamic arp inspection (dai) dai uses dhcp snooping entries to determine the legitimacy of the user sending arp packets, thus preventing arp attacks from unauthorized users source address validation improvement (savi) savi uses dhcp snooping entries to validate the legitimacy of users sending nd (neighbor discovery) packets, preventing nd attacks from unauthorized users ip source guard (ipsg) ipsg filters ip packets on ports dynamically obtained from the dhcp snooping table, preventing unauthorized packets from passing through those ports mac scan based on dhcp snooping entries, a scan can be initiated on terminal devices listed in the table to detect their online status dhcp snooping configuration dhcp snooping configuration configure tasks instructions enable dhcp snooping required configure port as trust state required enabling dhcp snooping function enabling dhcp snooping function enabling the dhcp snooping function requires a two step process first, enabling the global dhcp snooping functionality, and then enabling dhcp snooping for specific interfaces or vlans operation command description enter the system configuration view configure terminal enable dhcp snooping dhcp snooping enable{v4|v6} enter the corresponding view interface view interface ethernet interface id vlan view vlan id enable dhcp snooping dhcp snooping enable configuring ports as trusted configuring ports as trusted to ensure that the device generates snp entries only for dhcp ack packets received from legitimate dhcp servers, you need to set the interfaces connected directly or indirectly to trusted dhcp servers as trusted interfaces other interfaces should be set as untrusted interfaces this guarantees that, after enabling the respective security features, only terminals that obtain ip addresses from legitimate dhcp servers can access the network, preventing unauthorized access from self deployed dhcp servers operation command description enter the system configuration view configure terminal enter the corresponding view interface view interface ethernet interface id vlan view vlan id configure ports as trusted dhcp snooping trusted display and maintenance display and maintenance operation command description display dhcp snooping related configurations show dhcp snooping config display dhcp snooping table show snooping table configuration example configuration example network requirements network requirements a company wants to assign ip addresses to terminals in the network through a dhcp server in order to facilitate management, and at the same time needs to prohibit users from accessing the network through statically configured ip addresses procedure procedure create vlan 100 and configure the ip address sonic(config)# vlan 100 sonic(config)# interface ethernet 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface ethernet 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface vlan 100 sonic(config vlanif 100)# ip address 10 1 2 1/24 enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 5 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 5 sonic(config if 5)# dhcp snooping enable sonic(config if 5)# dhcp snooping trusted enables dai and ipsg to check the legitimacy of user messages sonic(config)# interface vlan 100 sonic(config vlanif 100)# ipv4 source check enable sonic(config vlanif 100)# arp anti attack check enable verify configuration verify configuration check the obtained ip address on the user's pc modify the ip address on the user's pc to a static configuration, ping the external network address and the pc's gateway address, respectively, the ping operation failed view the packet loss statistics of the security features on the device sonic# show user bind counter interface drop packets \ vlan100 4028