Support for DHCP Snooping
Netvisor ONE supports DHCP snooping as a security feature allowing the network to avoid denial-of-service (DoS)attacks from rogue DHCP servers. You define trusted ports to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.
In a DHCP packet flow, there are the following packet types:
- DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
- DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)
Netvisor One must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.
- DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu
- DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu
A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not specifically configured as trusted are untrusted ports.
Netvisor One drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.
Enable DHCP snooping and specify the list of trusted server ports using the following set of commands:
CLI (network-admin@Spine1) > dhcp—filter-create name name-string trusted-ports port-list
|
name name-string |
Specify a name for the filter. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
CLI (network-admin@Spine1) > dhcp-filter-modify name name-string trusted-ports port-list
|
name name-string |
Specify the name of the filter to modify. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
CLI network-admin@Spine1) > dhcp-filter-delete name name-string
|
name name-string |
Specify the name of the filter to delete. |
CLI (network-admin@Spine1) > dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list
|
name name-string |
Displays the name of the filter. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
|
vlan vlan-list |
Displays a list of VLANs. |
In order to drop the packets from rogue DHCP servers, connected through untrusted ports, Netvisor One has a new system vFlow, DHCP-LOG-DROP.
The vFlow sends the packets to the CPU, to track the untrusted server messages, and then drop the untrusted DHCP server packets. This is set to a higher precedence than the DHCP trusted ports vFlow. The vFlow includes the untrusted port list for the ingress port.
Untrusted ports typically connect to hosts where DHCP clients can send messages, and Netvisor One ensures the DHCP messages are rate limited using dhcp CPU class.
All the DHCP messages use the dhcp CPU class. The existing command for cpu-class-modify is used:
CLI (network-admin@Spine1) > cpu-class-modify name dhcp rate-limit rate-limit-number
The show output for the command, dhcp-lease-show, has two new parameters to display trusted and rogue DHCP servers:
CLI (network-admin@Spine1) > dhcp-lease-show trusted-server|no-trusted-server
CLI (network-admin@Spine1) > dhcp-lease-show
ip mac port vnet vlan db-state server server-ip server-port trusted-server last-msg
------------------- ----------------- ---- ---- ---- --------- ------ ---------- ----------- -------------- --------
6053:23a7:0:0:200:: 00:12:c0:80:1f:b8 9 1 unknown 10.1.1.100 65 no offer
Log messages indicate the presence of an unknown or rogue DHCP servers:
DHCP server message received from untrusted port=<x> server-ip=<ip-addr>