DHCP snooping is a security feature which allows the network to avoid denial-of-service attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.

In a DHCP packet flow, there are the following packet types:

  • DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
  • DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)

Netvisor must snoop the DHCP packets in order to implement this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.

  • DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu
  • DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not configured as trusted are untrusted ports. Netvisor drops any DHCP server message received from untrusted ports, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.

This command is used to create a DHCP filter.

Syntax   dhcp—filter-create

name name-string

Specify a name for the filter.

trusted-ports port-list

Specify a list of trusted ports.

Defaults   None

Access   Network Administrator


Version 2.6.0

Command introduced.

Usage   Use this command to create a DHCP filter for trusted ports.

Examples  To create a DHCP filter, trust-server-1, and port 13-17 , use the following syntax:

CLI (network-admin@switch) > dhcp-filter-create name trust-server-1 ports 13-17