dhcp-filter-create
DHCP snooping is a security feature which allows the network to avoid denial-of-service attacks from rogue DHCP servers. Trusted ports are defined to connect to the known DHCP servers. DHCP snooping also maintains a mapping table for current assignments.
In a DHCP packet flow, there are the following packet types:
- DHCPDISCOVER/DHCPREQUEST — Packets from the DHCP client to server (UDP dest-port = 67)
- DHCPOFFER/DHCPACK — Packets from the DHCP Server to client (UDP dest-port = 68)
NetVisor must snoop the DHCP packets in order to implement this feature, and achieves this by installing a copy-to-cpu vFlow with the parameter, bw-max, to set packet rate limits.
- DHCP-client-vflow — Packets with UDP dest-port=67, copy-to-cpu
- DHCP-server-vflow — Packets with UDP dest-port=68, copy-to-cpu
A trusted port is a port receiving the DHCP server messages from a trusted DHCP server. Any DHCP server message, such as OFFER/ACKNOWLEDGE, received from trusted ports are valid. Ports not configured as trusted are untrusted ports. NetVisor drops any DHCP server message received from untrusted ports, and ensures that a rogue DHCP server cannot assign IP addresses to devices on your network.
This command is used to create a DHCP filter.
Syntax dhcp—filter-create
|
name name-string |
Specify a name for the filter. |
|
trusted-ports port-list |
Specify a list of trusted ports. |
Defaults None
Access Network Administrator
History
|
Version 2.6.0 |
Command introduced. |
Usage Use this command to create a DHCP filter for trusted ports.
Examples To create a DHCP filter, trust-server-1, and port 13-17 , use the following syntax:
CLI (network-admin@switch) > dhcp-filter-create name trust-server-1 ports 13-17