Support for DHCP Snooping

DHCP snooping is a security feature which allows the network to avoid denial-of-service (DoS)attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.

In a DHCP packet flow, there are the following packet types:

Netvisor must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not specifically configured as trusted are untrusted ports. Netvisor drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.

Enable DHCP snooping and specify the list of trusted server ports using the following set of commands:

(CLI network-admin@Spine1)>dhcp—filter-create name name-string trusted-ports port-list

name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.

 

 

(CLI network-admin@Spine1)>dhcp-filter-modify name name-string trusted-ports port-list

name name-string

Specify the name of the filter to modify.

trusted-ports port-list

Specify a list of trusted ports.

 

CLI network-admin@Spine1)>dhcp-filter-delete name name-string

name name-string

Specify the name of the filter to delete.

 

(CLI network-admin@Spine1)>dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list

name name-string

Displays the name of the filter.

trusted-ports port-list

Displays a list of trusted ports.

vlan vlan-list

Displays a list of VLANs.

 

In order to drop the packets from rogue DHCP servers, connected through untrusted ports, Netvisor has a new system vFlow, DHCP-LOG-DROP.

The vFlow sends the packets to the CPU, to track the untrusted server messages, and then drop the untrusted DHCP server packets. This is set to a higher precedence than the DHCP trusted ports vFlow. The vFlow includes the untrusted port list for the ingress port.

Untrusted ports typically connect to hosts where DHCP clients can send messages, and Netvisor ensures the

DHCP messages are rate limited using dhcp CPU class. All the DHCP messages use the dhcp CPU class. The existing command for cpu-class-modify is used:

CLI (network-admin@Spine1)>cpu-class-modify name dhcp rate-limit rate-limit-number 

 

The show output for the command, dhcp-lease-show, has two new parameters to display trusted and rogue DHCP servers:

CLI (network-admin@Spine1)>dhcp-lease-show trusted-server|no-trusted-server

 

CLI (network-admin@Spine1)>dhcp-lease-show

switch        ip                  mac               port vnet vlan db-state  server

------------- ------------------- ----------------- ---- ---- ---- --------- ------

Spine1        6053:23a7:0:0:200:: 00:12:c0:80:1f:b8 9         1    unknown

 

server-ip  server-port trusted-server last-msg

---------- ----------- -------------- --------

10.1.1.100 65          no             offer

 

Log messages indicate the presence of an unknown or rogue DHCP servers:

DHCP server message received from untrusted port=<x> server-ip=<ip-addr>