Configuring DHCP Snooping
Netvisor ONE supports DHCP snooping as a security feature enabling the network admin to prevent denial-of-service (DoS) or Man-in-the-Middle (MiM) attacks from rogue DHCP agents.
You can define trusted ports to connect to the known good DHCP servers. DHCP snooping also maintains a mapping table for current assignments.
Enable DHCP snooping and specify the list of trusted server ports using the following command:
CLI (network-admin@switch) > dhcp—filter-create name name-string trusted-ports port-list
|
name name-string |
Specify a name for the filter. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
The port list can then be modified or deleted with the following commands:
CLI (network-admin@switch) > dhcp-filter-modify name name-string trusted-ports port-list
|
name name-string |
Specify the name for the filter to modify. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
To delete:
CLI (network-admin@switch) > dhcp-filter-delete name name-string
A DHCP filter can be shown with the command:
CLI (network-admin@switch) > dhcp-filter-show name name-string trusted-ports port-list vlan vlan-list
|
name name-string |
Displays the name of the filter. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
|
vlan vlan-list |
Displays a list of VLANs. |
In order to drop packets from rogue DHCP agents connected through untrusted ports, Netvisor ONE supports a specific system vFlow entry in hardware: DHCP-LOG-DROP.
The vFlow entry sends the packets to the CPU in order to track and log the untrusted DHCP messages, and then drops them. This entry is set to a higher precedence than the one used for trusted DHCP ports.
Ports that are not in the trusted list connect to hosts whose DHCP trust level is unknown or zero, therefore Netvisor ONE ensures that the DHCP messages to be logged by the CPU are rate limited using a dedicated dhcp class so that its processing capacity is not exceeded. (See the Configuring CPTP section for more details.)
The output for the dhcp-lease-show command has two new parameters to display trusted and untrusted DHCP agents:
CLI (network-admin@Spine1) > dhcp-lease-show trusted-server|no-trusted-server
CLI (network-admin@Spine1) > dhcp-lease-show format ip, mac, port, vlan, db-state, server, server-ip, server-port, trusted-server, last-msg
ip mac port vlan db-state server server-ip server-port trusted-server last-msg
-------- ----------------- ---- ---- --------- ------ ---------- ----------- -------------- --------
10.1.1.2 00:12:c0:80:1f:b8 9 1 unknown 10.1.1.100 65 no offer
Log messages indicate the presence of an unknown or rogue DHCP agent:
DHCP server message received from untrusted port=<x> server-ip=<ip-addr>