Dell Networking SONiC: Dynamic Host Configuration Protocol Snooping

Summary: This article explains about Dynamic Host Configuration Protocol (DHCP) snooping in Dell Networking SONiC. This article uses a switch running Dell SONiC 4.1.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Prerequisites
Standard interface naming is used to demonstrate the Concepts. See Dell article 202172 Dell Networking S-Series: Basic Interface Configuration - SONiC 4.0 for more information regarding interface naming


Index

Introduction
DHCP Layer 2 COPP Configuration
IPv4 DHCP Snooping Configuration
Clear Entries from the IPv4 DHCP Snooping Binding Table
View IPv4 DHCP Snooping Information
IPv6 DHCP Snooping Configuration
Clear Entries from the IPv6 DHCP Snooping Binding Table
View IPv6 DHCP Snooping Information
 

Introduction

Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that enables switches in a network to monitor DHCP control messages. A switch can identify rogue DHCP servers and clients in a network using the control messages.

When you enable DHCP snooping, the switch starts monitoring DHCP control packets both from DHCP servers and clients. The system uses this information to build a database.

There are two types of DHCP Snooping interfaces; trusted and untrusted interfaces. You connect DHCP clients to untrusted interfaces and DHCP servers to trusted interfaces.

When the switch receives DHCP messages from clients on untrusted ports that it forwards the packets to the trusted ports in the same VLAN. When you configure ports that connect to DHCP servers as trusted, the system drops any DHCP-server-to-client messages that it receives on untrusted interfaces.

By checking the source MAC address in the Ethernet header with the client MAC address in the DHCP header, DHCP snooping minimizes malicious DHCP clients from acquiring a DHCP lease.

Configuration Notes:
  • DHCP snooping is supported for IPv4 and IPv6.
  • DHCPv6 snooping works only with DHCPv6 stateful server
  • Enable DHCP snooping globally and on specific VLANs.
  • Configure ports within the VLAN to be trusted or untrusted.
  • By default, all ports are untrusted.
  • Connect DHCP servers through trusted ports.
  • Connect DHCP clients through untrusted ports.
  • On untrusted interfaces, the switch drops DHCP packets if the source MAC address does not match the client hardware address. You can disable this behavior disabling the Verify MAC address feature. Use this feature for DHCP relay and DHCP unicast request packets that are routed.
  • When you enable DHCP snooping, the Verify MAC address feature is enabled by default.
  • DHCP Snooping is not applied to VLANs on which snooping is not enabled.
  • You can configure a manual entry to the DHCP snooping binding table.
  • Before enabling DHCP snooping, remove the DHCP Layer 3 COPP rule and install the DHCP Layer 2 COPP rule. For more details, see the DHCP Layer 2 COPP configuration section.
 

DHCP Layer 2 COPP Configuration

For DHCP snooping to work, perform this configuration:
  1. Uninstall DHCP Layer 3 COPP rules. This is a default rule.
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure terminal
DELLSONiC(config)# policy-map copp-system-policy type copp
DELLSONiC(config-policy-map)# no class copp-system-dhcp
  1. Install DHCP Layer 2 COPP rule for DHCP snooping.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure terminal
DELLSONiC(config)# policy-map copp-system-policy type copp
DELLSONiC(config-policy-map)# class copp-system-dhcpl2
DELLSONiC(config-policy-map-flow)# set copp-action copp-system-dhcp
 

IPv4 DHCP Snooping Configuration

To configure DHCP snooping, use the following procedure:
  1. Enable DHCP snooping globally.
sonic(config)# ip dhcp snooping

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ip dhcp snooping
  1. Configure interfaces that are connected to the DHCP server as trusted.
sonic(config-if)# ip dhcp snooping trust

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# interface Eth 1/1
DELLSONiC(config-if-Eth1/1)# ip dhcp snooping trust

DELLSONiC(config-if-Eth1/1)# show configuration
!
interface Eth1/1
 mtu 9100
 speed 100000
 unreliable-los auto
 no shutdown
 ip dhcp snooping trust
DELLSONiC(config-if-Eth1/1)#

DELLSONiC# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping source MAC verification is Enabled
DHCP snooping is enabled on the following VLANs: 100 200 201
DHCP snooping trusted interfaces: Eth1/1
  1. Enable DHCP snooping on a VLAN or a VLAN list.
sonic(config)# ip dhcp snooping vlan {vlan-id | vlan-list}

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ip dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
NOTE: The above is an INFO message. 
DELLSONiC# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping source MAC verification is Enabled
DHCP snooping is enabled on the following VLANs: 100 200 201
DHCP snooping trusted interfaces: Eth1/1
  1. (Optional) Disable DHCP source MAC address verification
sonic(config)# no ip dhcp snooping verify mac-address

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# no ip dhcp snooping verify mac-address
DELLSONiC# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping source MAC verification is Disabled
DHCP snooping is enabled on the following VLANs: 100 200 201
DHCP snooping trusted interfaces: Eth1/1
DELLSONiC#
  1. (Optional) Create a static entry to the DHCP snooping binding table.
sonic(config)# ip source binding source-ip-address source-mac-address vlan vlan-id interface interface-name
NOTE: Use the no form of the IP source binding command to remove a static entry. 
admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ip source binding 10.10.100.150 aa:bb:cc:dd:11:22 Vlan 100 Eth 1/1

DELLSONiC# show ip dhcp snooping binding
Total number of Dynamic bindings: 0
Total number of Static bindings: 1
Total number of Tentative bindings: 0
MAC Address        IP Address       VLAN   Interface    Type     Lease (Secs)
-----------------  ---------------  ----   -----------  -------  -----------
aa:bb:cc:dd:11:22  10.10.100.150    100    Eth1/1       static   NA
DELLSONiC#
 

Clear entries from the DHCP snooping binding table for IPv4

Use the following commands to clear all or a specific dynamic entry:
  • Clear all dynamic IP DHCP snooping binding entries:
sonic(config)# clear ip dhcp snooping binding
  • Clear a specific dynamic IP DHCP snooping binding entry:
sonic(config)# clear ip dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
  • Clear DHCP snooping statistics:
sonic# clear ip dhcp snooping statistics
 

View DHCP snooping information for IPv4.

  • View general information about DHCP snooping:
sonic# show ip dhcp snooping

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping source MAC verification is Disabled
DHCP snooping is enabled on the following VLANs: 100 200 201
DHCP snooping trusted interfaces: Eth1/1
  • View the DHCP snooping binding database:
sonic# show ip dhcp snooping binding

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# show ip dhcp snooping binding
Total number of Dynamic bindings: 0
Total number of Static bindings: 1
Total number of Tentative bindings: 0
MAC Address        IP Address       VLAN   Interface    Type     Lease (Secs)
-----------------  ---------------  ----   -----------  -------  -----------
aa:bb:cc:dd:11:22  10.10.100.150    100    Eth1/1       static   NA
  • View DHCP snooping statistics:
sonic# show ip dhcp snooping statistics

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# show ip dhcp snooping statistics
Interface        MAC Verify   Client Ifc   DHCP Server
                 Failures     Mismatch     Msgs Recvd
---------------  ----------   ----------   -----------
Eth1/1           0            0            0
Eth1/2           0            0            0
Eth1/3           0            0            0
Eth1/4           0            0            0
Eth1/5           0            0            0
Eth1/6           0            0            0
Eth1/7           0            0            0
 

Configure DHCP snooping for IPv6. 

To configure DHCP snooping, use the following procedure:

  1. Enable DHCP snooping globally.
sonic(config)# ipv6 dhcp snooping

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ipv6 dhcp snooping
DELLSONiC# show ipv6 dhcp snooping
DHCPv6 snooping is Enabled
DHCPv6 snooping source MAC verification is Enabled
DHCPv6 snooping is enabled on the following VLANs:
DHCPv6 snooping trusted interfaces:
DELLSONiC#
  1. Configure interfaces that are connected to the DHCP server as trusted.
sonic(config-if)# ipv6 dhcp snooping trust

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# interface Eth 1/1
DELLSONiC(config-if-Eth1/1)# ipv6 dhcp snooping trust
DELLSONiC(config-if-Eth1/1)# show configuration
!
interface Eth1/1
 mtu 9100
 speed 100000
 unreliable-los auto
 no shutdown
 ip dhcp snooping trust
 ipv6 dhcp snooping trust
DELLSONiC(config-if-Eth1/1)#

DELLSONiC# show ipv6 dhcp snooping
DHCPv6 snooping is Enabled
DHCPv6 snooping source MAC verification is Enabled
DHCPv6 snooping is enabled on the following VLANs:
DHCPv6 snooping trusted interfaces: Eth1/1
  1. Enable DHCP snooping on a VLAN or a VLAN list.
sonic(config)# ipv6 dhcp snooping vlan {vlan-id | vlan-list}

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# ipv6 dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
NOTE: The above is an INFO message. 
DELLSONiC# show ipv6 dhcp snooping
DHCPv6 snooping is Enabled
DHCPv6 snooping source MAC verification is Enabled
DHCPv6 snooping is enabled on the following VLANs: 100 200 201
DHCPv6 snooping trusted interfaces: Eth1/1
  1. (Optional) Disable DHCP source MAC address verification
sonic(config)# no ipv6 dhcp snooping verify mac-address

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# no ipv6 dhcp snooping verify mac-address

DELLSONiC# show ipv6 dhcp snooping
DHCPv6 snooping is Enabled
DHCPv6 snooping source MAC verification is Disabled
DHCPv6 snooping is enabled on the following VLANs: 100 200 201
DHCPv6 snooping trusted interfaces: Eth1/1
DELLSONiC#
  1. (Optional) Create a static entry to the DHCP snooping binding table.
sonic(config)# ipv6 source binding source-ip-address source-mac-address vlan vlan-id interface interface-name

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# ipv6 source binding 2001:db8:3333::7778 aa:bb:cc:dd:11:11 Vlan 100 Eth 1/1
DELLSONiC# show ipv6 dhcp snooping binding
Total number of Dynamic bindings: 0
Total number of Static bindings: 1
Total number of Tentative bindings: 0
MAC Address        IPv6 Address       VLAN   Interface    Type     Lease (Secs)
-----------------  ---------------  ----   -----------  -------  -----------
aa:bb:cc:dd:11:11  2001:db8:3333::7778  100    Eth1/1       static   NA
DELLSONiC#
NOTE: Use the no form of the IP source binding command to remove a static entry.

 

Clear entries from the DHCP snooping binding table for IPv6 

Use the following commands to clear all or a specific dynamic entry:

  • Clear all dynamic IP DHCP snooping binding entries:
sonic(config)# clear ipv6 dhcp snooping binding
  • Clear a specific dynamic IP DHCP snooping binding entry:
sonic(config)# clear ipv6 dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
  • Clear DHCP snooping statistics:
sonic# clear ipv6 dhcp snooping statistics

 

View DHCP snooping information for IPv6. 

  • View general information about DHCP snooping:
sonic# show ipv6 dhcp snooping

DELLSONiC# show ipv6 dhcp snooping
DHCPv6 snooping is Enabled
DHCPv6 snooping source MAC verification is Disabled
DHCPv6 snooping is enabled on the following VLANs: 100 200 201
DHCPv6 snooping trusted interfaces: Eth1/1
DELLSONiC#
  • View the DHCP snooping binding database: 
sonic# show ipv6 dhcp snooping binding 

DELLSONiC# show ipv6 dhcp snooping binding
Total number of Dynamic bindings: 0
Total number of Static bindings: 1
Total number of Tentative bindings: 0
MAC Address        IPv6 Address       VLAN   Interface    Type     Lease (Secs)
-----------------  ---------------  ----   -----------  -------  -----------
aa:bb:cc:dd:11:11  2001:db8:3333::7778  100    Eth1/1       static   NA
DELLSONiC#
  • View DHCP snooping statistics: 
sonic# show ipv6 dhcp snooping statistics 

DELLSONiC# show ipv6 dhcp snooping statistics
Interface        MAC Verify   Client Ifc   DHCP Server
                 Failures     Mismatch     Msgs Recvd
---------------  ----------   ----------   -----------
Eth1/1           0            0            0
Eth1/2           0            0            0
Eth1/3           0            0            0
Eth1/4           0            0            0

Affected Products

Enterprise SONiC Distribution, PowerSwitch S5048F-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S5448F-ON
Article Properties
Article Number: 000218723
Article Type: How To
Last Modified: 31 Oct 2023
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.