Configuring DHCP Snooping



Netvisor ONE supports DHCP snooping as a security feature enabling the network admin to prevent denial-of-service (DoS) or Man-in-the-Middle (MiM) attacks from rogue DHCP agents.

You can define trusted ports to connect to the known good DHCP servers. DHCP snooping also maintains a mapping table for current assignments.


Enable DHCP snooping and specify the list of trusted server ports using the following command:


CLI (network-admin@switch) > dhcp—filter-create name name-string trusted-ports port-list


name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.


The port list can then be modified or deleted with the following commands:


CLI (network-admin@switch) > dhcp-filter-modify name name-string trusted-ports port-list


name name-string

Specify the name for the filter to modify.

trusted-ports port-list

Specify a list of trusted ports.


To delete:


CLI (network-admin@switch) > dhcp-filter-delete name name-string


A DHCP filter can be shown with the command:


CLI (network-admin@switch) > dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list


name name-string

Displays the name of the filter.

trusted-ports port-list

Specify a list of trusted ports.

vlan vlan-list

Displays a list of VLANs.


In order to drop packets from rogue DHCP agents connected through untrusted ports, Netvisor ONE supports a specific system vFlow entry in hardware: DHCP-LOG-DROP.


The vFlow entry sends the packets to the CPU in order to track and log the untrusted DHCP messages, and then drops them. This entry is set to a higher precedence than the one used for trusted DHCP ports.


Ports that are not in the trusted list connect to hosts whose DHCP trust level is unknown or zero, therefore Netvisor ONE ensures that the DHCP messages to be logged by the CPU are rate limited using a dedicated dhcp class so that its processing capacity is not exceeded. (See the Configuring CPTP section for more details.) 


The output for the dhcp-lease-show command has two new parameters to display trusted and untrusted DHCP agents:


CLI (network-admin@Spine1) > dhcp-lease-show trusted-server|no-trusted-server

 

CLI (network-admin@Spine1) > dhcp-lease-show format ip, mac, port, vlan, db-state, server, server-ip, server-port, trusted-server, last-msg

 

ip       mac               port vlan db-state  server server-ip  server-port trusted-server last-msg

-------- ----------------- ---- ---- --------- ------ ---------- ----------- -------------- --------

10.1.1.2 00:12:c0:80:1f:b8 9    1    unknown          10.1.1.100 65          no             offer


Log messages indicate the presence of an unknown or rogue DHCP agent:


DHCP server message received from untrusted port=<x> server-ip=<ip-addr>


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south