Support for DHCP Snooping
Netvisor ONE supports DHCP snooping as a security feature allowing the network to avoid denial-of-service (DoS)attacks from rogue DHCP servers. You define trusted ports to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.
In a DHCP packet flow, there are the following packet types:
DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)
Netvisor ONE must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.
DHCP client flow — Packets with UDP dest-port=67, copy-to-cpu
DHCP server flow — Packets with UDP dest-port=68, copy-to-cpu
A trusted port receives the DHCP server messages from a trusted DHCP server. Netvisor ONE validates any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports. Netvisor ONE designates ports not specifically configured as trusted as untrusted ports. Netvisor ONE drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.
Enable DHCP snooping and specify the list of trusted server ports using the following set of commands:
(CLI network-admin@Spine1)>dhcp—filter-create name name-string trusted-ports port-list
name name-string
Specify a name for the filter.
trusted-ports port-list
Specify a list of trusted ports.
(CLI network-admin@Spine1)>dhcp-filter-modify name name-string trusted-ports port-list
name name-string
Specify the name of the filter to modify.
trusted-ports port-list
Specify a list of trusted ports.
CLI network-admin@Spine1)>dhcp-filter-delete name name-string
name name-string
Specify the name of the filter to delete.
(CLI network-admin@Spine1)>dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list
name name-string
Displays the name of the filter.
trusted-ports port-list
Displays a list of trusted ports.
vlan vlan-list
Displays a list of VLANs.
In order to drop the packets from rogue DHCP servers, connected through untrusted ports, Netvisor ONE has a new system vFlow, DHCP-LOG-DROP.
The vFlow sends the packets to the CPU, to track the untrusted server messages, and then drop the untrusted DHCP server packets. The vFlow has a higher precedence than the DHCP trusted ports vFlow. The vFlow includes the untrusted port list for the ingress port.
Untrusted ports typically connect to hosts where DHCP clients can send messages, and Netvisor ONE ensures the DHCP messages are rate limited using dhcp CPU class. All the DHCP messages use the dhcp CPU class. Use the existing command for cpu-class-modify:
CLI (network-admin@Spine1)>cpu-class-modify name dhcp rate-limit rate-limit-number
The show output for the command, dhcp-lease-show, has two new parameters to display trusted and rogue DHCP servers:
CLI (network-admin@Spine1)>dhcp-lease-show trusted-server|no-trusted-server
CLI (network-admin@Spine1)>dhcp-lease-show
switch        ip                  mac port vnet vlan db-state server
------------- ------------------- ----------------- ---- ---- ---- --------- ------
Spine1        6053:23a7:0:0:200:: 00:12:c0:80:1f:b8 9 1 unknown
server-ip  server-port trusted-server last-msg
---------- ----------- -------------- -------- 65          no offer
Log messages indicate the presence of an unknown or rogue DHCP servers:
DHCP server message received from untrusted port=<x> server-ip=<ip-addr>