DHCP snooping is a security feature which allows the network to avoid denial-of-service attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.
In a DHCP packet flow, there are the following packet types:
DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)
Netvisor must snoop the DHCP packets in order to implement this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.
DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu
DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu
A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not configured as trusted are untrusted ports. Netvisor drops any DHCP server message received from untrusted ports, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.
This command is used to modify a DHCP filter.
Syntax dhcp—filter-modify name name-string trusted-ports port-list
Specify a name for the filter.
Specify a list of trusted ports.
Access Network Administrator
History Command introduced in Version 2.6.0.
Usage Use this command to create a DHCP filter for trusted ports.
Examples To modify a DHCP filter, trust-server-1 and change the ports to 33-35, use the following syntax:
CLI network-admin@switch > dhcp-filter-modify name trust-server-1 ports 33-35