About DHCP Snooping 

DHCP is a protocol that can be exploited by malicious agents to mess with the address assignment of the network. Therefore, starting from release 2.6.0, NetVisor OS has introduced support for DHCP protection (sometimes also referred to as DHCP Snooping). This requires that all DHCP packets be ‘snooped’ and sent to the CPU using a protocol-specific rate limiter to be inspected. 

To prevent rogue agents from posing as DHCP servers, only switch ports that connect to known legitimate DHCP servers are defined as trusted. Therefore, typical DHCP message exchanges from server to client (such as DHCPOFFER and DHCPACK) are considered legitimate only on such trusted ports. 

In a DHCP packet exchange there are various packet types: 

  • DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (using UDP dest-port = 67

  • DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (using UDP dest-port = 68

NetVisor OS must snoop the DHCP packets in order to leverage this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits. 

  • DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu 

  • DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu 

A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not specifically configured as trusted are untrusted ports.  

NetVisor OS drops any DHCP server message received from an untrusted port, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network. 

In order for the users to control the trusted DHCP server port list, the CLI/APIs provide create/modify/show commands on the dhcp-lease object database with a choice of notify, drop or disable policy actions.