Support for DHCP Snooping


Netvisor ONE supports DHCP snooping as a security feature allowing the network to avoid denial-of-service (DoS)attacks from rogue DHCP servers. You define trusted ports to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.

 

In a DHCP packet flow, there are the following packet types:


  • DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
  • DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)

 

Netvisor One must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.

 

  • DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu
  • DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu

 

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not specifically configured as trusted are untrusted ports.


Netvisor One drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.

 

Enable DHCP snooping and specify the list of trusted server ports using the following set of commands:

 

CLI (network-admin@Spine1) >  dhcp—filter-create name name-string trusted-ports port-list

 

name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.

 

 CLI (network-admin@Spine1) >  dhcp-filter-modify name name-string trusted-ports port-list

 

name name-string

Specify the name of the filter to modify.

trusted-ports port-list

Specify a list of trusted ports.

 

CLI network-admin@Spine1) >  dhcp-filter-delete name name-string

 

name name-string

Specify the name of the filter to delete.

 

CLI (network-admin@Spine1) >  dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list

 

name name-string

Displays the name of the filter.

trusted-ports port-list

Specify a list of trusted ports.

vlan vlan-list

Displays a list of VLANs.


In order to drop the packets from rogue DHCP servers, connected through untrusted ports, Netvisor One has a new system vFlow, DHCP-LOG-DROP.


The vFlow sends the packets to the CPU, to track the untrusted server messages, and then drop the untrusted DHCP server packets. This is set to a higher precedence than the DHCP trusted ports vFlow. The vFlow includes the untrusted port list for the ingress port.


Untrusted ports typically connect to hosts where DHCP clients can send messages, and Netvisor One ensures the DHCP messages are rate limited using dhcp CPU class.

 

All the DHCP messages use the dhcp CPU class. The existing command for cpu-class-modify is used:

 

CLI (network-admin@Spine1) >  cpu-class-modify name dhcp rate-limit rate-limit-number 

 

The show output for the command, dhcp-lease-show, has two new parameters to display trusted and rogue DHCP servers:

 

CLI (network-admin@Spine1) >  dhcp-lease-show trusted-server|no-trusted-server

 

CLI (network-admin@Spine1) >  dhcp-lease-show

 

  ip                  mac              port vnet vlan db-state  server server-ip  server-port trusted-server last-msg

------------------- ----------------- ----  ---- ---- --------- ------ ---------- ----------- -------------- --------

6053:23a7:0:0:200:: 00:12:c0:80:1f:b8  9          1    unknown  10.1.1.100 65          no             offer

 


Log messages indicate the presence of an unknown or rogue DHCP servers:

 

DHCP server message received from untrusted port=<x> server-ip=<ip-addr>