DHCP Snooping configuration on Broadcom Sonic

DHCP Snooping configuration on Broadcom Sonic

Enabling DHCP Snooping 

Command: 

ip dhcp snooping 

This command enables DHCP Snooping globally on the device, helping monitor and block unauthorized DHCP servers. 

Disable DHCP snooping 

sonic-cli# configure terminal 

sonic-cli(config)# no ip dhcp snooping 

  

Enabling DHCP Snooping on VLANs 

After globally enabling DHCP Snooping on a network switch, the next step is to configure which VLANs will have DHCP Snooping active.

Command: 

ip dhcp snooping vlan <vlan-id> 

Example: 

sonic(config)# ip dhcp snooping vlan 110  

This command enables DHCP Snooping on VLAN 110, helping filter DHCP messages on this VLAN. 

Configuring Trusted DHCP Interfaces 

In DHCP Snooping, all interfaces on a switch are untrusted by default to prevent unauthorized DHCP servers from issuing IP addresses. To allow legitimate DHCP messages to pass through, you need to configure specific interfaces as trusted. 

Command: 

ip dhcp snooping trust 

Example: 

sonic(config)# interface Ethernet5 

sonic(config-if)# ip dhcp snooping trust  

This command marks Ethernet5 as a trusted interface, allowing DHCP messages from legitimate DHCP servers to pass. 

Disable: 

# no ip dhcp snooping trust 

Enabling DHCP Snooping MAC Verification 

To enhance security within DHCP Snooping, you can enable MAC address verification. This feature helps ensure that the MAC addresses in DHCP messages are consistent with the bindings stored in the DHCP Snooping database. 

This command enables DHCPv4 Snooping MAC verification, which checks that the MAC addresses in DHCP packets match the entries in the binding database. If a mismatch occurs, the switch can take action, such as dropping the packet. 

Enabling MAC Verification: 
Enter configuration mode: 

sonic-cli# configure terminal 

 

Enable MAC verification: 

sonic-cli(config)# ip dhcp snooping verify mac-address 

 

Disabling MAC Verification: 

Enter configuration mode: 

sonic-cli# configure terminal 
 

Disable MAC verification: 

sonic-cli(config)# no ip dhcp snooping verify mac-address 

Importance of MAC Verification 

Enabling MAC address verification adds an additional layer of security to your DHCP Snooping configuration. It helps prevent unauthorized devices from responding to DHCP requests and ensures that clients receive the correct IP addresses based on their MAC addresses, enhancing the overall integrity and security of the network. 

Verifying DHCP Snooping Status 

To verify that DHCP Snooping is functioning correctly, you can use the following command to check its status. 

Command: 

show ip dhcp snooping  

Using the command to check DHCP Snooping configuration displays the VLANs where DHCP Snooping is enabled and the status of interfaces. It identifies which interfaces are trusted (connected to legitimate DHCP servers) and which are untrusted (connected to end devices). 

Viewing DHCP Bindings 

Once DHCP is configured, you can view the current DHCP bindings, which show which IP addresses have been assigned to which clients. 

Command: 

show ip dhcp snooping binding 

   

  

 

 

    • Related Articles

    • Management Interface Configuration (SONiC)

      Configure the management interface (eth0) for network administration in SONiC. Default Configuration: By default, eth0 uses DHCP to dynamically obtain an IP address from a DHCP server. Static IP Configuration: Command Line: sudo config interface ip ...

    • IP Helper Configuration on Broadcom SoNiC

      1. To Display IP helper global information Command: show ip forward-protocol 2. To Displays IP helper server addresses configured on interface Command: show ip helper-address [ <iface> ] 3.To Display IP helper packet counters and statistics on ...

    • Syslog server configuration in Broadcom SoNiC

      1. To Configure remote syslog server to forward syslog messages Command: logging server <host> [ message-type { audit | auditd-system | event | log } ] [ remote-port <vrport> ] [ protocol { tcp | tls | udp } ] [ source-interface { Ethernet | Loopback ...

    • Configuring AAA in Broadcom sonic

      AAA Authentication Fail through Description: Configures AAA authentication fail through. Syntax: aaa authentication failthrough <enable> Parameters: enable: Enable or disable the feature. Example: sonic(config)# aaa authentication failthrough enable ...

    • Border Gateway Protocol- FAQ (Broadcom SoNiC)

      1. How do I configure BGP hold and keepalive timers? Use timers <keepalive> <hold>. 2. How do I enable BGP in SONiC? Use router bgp <AS_number> to enter BGP configuration mode. 3. What does neighbor mean in BGP configuration? neighbor defines the IP ...