D Commands

DHCP

dhcp-filter-create

DHCP snooping is a security feature which allows the network to avoid denial-of-service attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.

In a DHCP packet flow, there are the following packet types:

Netvisor must snoop the DHCP packets in order to implement this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not configured as trusted are untrusted ports. Netvisor drops any DHCP server message received from untrusted ports, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.

This command is used to create a DHCP filter.

Syntax   dhcp—filter-create name name-string trusted-ports port-list

i

name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.

Defaults   None

Access   Network Administrator

History   Command introduced in Version 2.6.0.

Usage   Use this command to create a DHCP filter for trusted ports.

Examples  To create a DHCP filter, trust-server-1 and port 13-17 , use the following syntax:

CLI network-admin@switch > dhcp-filter-create name trust-server-1 ports 13-17

See Also