SecureStack/G/D-Series Configuration to Block Packets From a Rogue DHCP Server

FAQ_User — Wed, 04 Dec 2013 22:25:00 GMT

Article ID: 12008

Products
SecureStack C3, firmware 1.02.01.0004 and higher
SecureStack C2, firmware 5.02.01.0006 and higher
SecureStack B3, firmware 1.02.01.0004 and higher
SecureStack B2, firmware 4.02.01.0006 and higher
G-Series, firmware 1.02.00.0043 and higher
D-Series, firmware 6.03.01.0008 and higher

Goals
Block packets from a rogue DHCP server.
Configure DHCP Snooping.
Sample configuration.

Solution/Workaround
DHCP Snooping prevents DHCP server packets such as "offers" from being passed onto the network. This will stop rogue DHCP servers from supplying incorrect IP addresses to DHCP clients.

For at least minimal/default functionality, here are the three commands required:

Enable the feature globally:B2(su)->set dhcpsnooping enable
Enable the feature on at least one VLAN:B2(su)->set dhcpsnooping vlan enable
Configure the trusted ports through which valid DHCP server packets will be sourced (12682). Typically these are uplinks that are in the data path to the actual DHCP server:B2(su)->set dhcpsnooping trust port enable

The full DHCP Snooping command set (here, from a B2 running firmware 4.02.06.0001) permits the network administrator a relatively fine degree of control over this feature:
B2(su)->set dhcpsnooping ?

binding Add a static DHCP snooping binding [default: none]
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range. [default: 300 seconds]
disable Disable DHCP snooping globally. [default: disable]
enable Enable DHCP snooping globally.
limit Configure rate limiting parameters on the port. [default: 15 pps]
log-invalid Enable logging of invalid packets. [default: disable]
trust Configure the interface as trusted or untrusted for
DHCP snooping. [default: disable]
verify Configure DHCP snooping to filter on source MAC
address. [default: enable]
vlan Enable DHCP snooping on a range of VLANs. [default: none]

B2(su)->clear dhcpsnooping ?

binding Clear DHCP snooping bindings
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range.
limit Set rate limiting and burst interval to defaults 15
pps and 1 second respectivey .
statistics Clear DHCP snooping statistics

B2(su)->show dhcpsnooping ?

Press enter to execute the command.
binding Display DHCP snooping bindings.
database Display DHCP snooping Database persistency
configuration.
port Display DHCP Snooping Interface configuration.
statistics Display DHCP snooping statistics.

B2(su)->
For more background regarding the use and configuration of DHCP Snooping, please refer to the Configuration Guide or CLI Reference Guide for your product and firmware version.

See also: 11392 and 12196.

Workaround:

For the A4-Series and A2-Series, which do not support DHCP Snooping or Policy, DiffServ (5848) provides a means to perform a similar function, albeit in a less sophisticated manner. This sample configuration denies DHCP traffic sourced from any DHCP Server (destination port 68 traffic is server-to-client) plugged into port ge.1.1. Add this service to all ports that you wish to disallow for DHCP server attachment/operation:
#diffserv
set diffserv adminmode enable
set diffserv class create all classDHCP
set diffserv class match dstl4port number classDHCP 68
set diffserv policy create policyDropDHCP in
set diffserv policy class add policyDropDHCP classDHCP
set diffserv policy police style simple policyDropDHCP classDHCP 1000000 128
set diffserv policy police action conform drop policyDropDHCP classDHCP
set diffserv service add in ge.1.1 policyDropDHCP

topic SecureStack/G/D-Series Configuration to Block Packets From a Rogue DHCP Server in FAQs

SecureStack/G/D-Series Configuration to Block Packets From a Rogue DHCP Server